Gentoo alert 202405-03 (Dalli)
| From: | glsamaker@gentoo.org | |
| To: | gentoo-announce@lists.gentoo.org | |
| Subject: | [gentoo-announce] [ GLSA 202405-03 ] Dalli: Code Injection | |
| Date: | Sat, 04 May 2024 06:44:05 -0000 | |
| Message-ID: | <171480504586.8.17075191135044501703@987c7955d8b1> |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Dalli: Code Injection Date: May 04, 2024 Bugs: #882077 ID: 202405-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in Dalli, which can lead to code injection. Background ========== Dalli is a high performance pure Ruby client for accessing memcached servers. Affected packages ================= Package Vulnerable Unaffected -------------- ------------ ------------ dev-ruby/dalli < 3.2.3 >= 3.2.3 Description =========== A vulnerability was found in Dalli. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation leads to injection. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Dalli users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/dalli-3.2.3" References ========== [ 1 ] CVE-2022-4064 https://nvd.nist.gov/vuln/detail/CVE-2022-4064 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-03 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmY12TUACgkQFMQkOaVy +9lxJBAAi3g1Z/Uv46tLc6OBy72GV5MQXd2RIcX/orG+/pOodm0Do2luD6K/oGHs MECKvxTyD6hPMeVTUiw/fSxQV7vSUVs9G2/2p4PDL28+FnynM5gL/DETBv8323IT s4FjY2Ggw/B/9Cqe8HpsCUezvPSx085VO8YpUZf9OeJsm8B9hMPg9rkOBngvrkwP 34hiNo8r42VS2H5RE9jMn+77SmTYMIf+zbEKnKe1oDLGE+jTVI9KaybSVPVPPRkn a6+i9GdI2xE8W8ZgDPrUwWD8t48Tgf0pM7WBMBWD0+04YtdfKkQcOlKXBujNkST4 tk1iojuEiJBP25TKkDX3meaOlcYbptH8nDYJ+lbNIndLPDJyAtciZJMuJGCV3Hnw Ch7Yp3QYFrsZ89IoPFTk1dwnFJmEVNSTt3Ky/qnhcBLlD18rdYo34fWt4B9d5iN1 f5xlhPfCsCLPrxhycCsgGTPC0I/OBKRWng6X8hMzuzJKtAbf+oH7Lr9dcnc3CLzJ ZNntPd76KDC34cafctYpsFfQpw9F5TmSHnu7p93dbvgjuU+eChMGyDVwz3NpECdU lmMFTj2ys88bSWDyWrhvAsC0He4E8EPnsx65txKibLDzpbD0D5E+bGReRbQ+L20q CZFvt/pcOrVy2JZRyV3tIyn2S4TOqKfqjMSx+AiT5CZn6NVH870= =nSs7 -----END PGP SIGNATURE-----