1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202405-03 ] Dalli: Code Injection

    From glsamaker@gentoo.org@21:1/5 to All on Sat May 4 08:50:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202405-03
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: Dalli: Code Injection
    Date: May 04, 2024
    Bugs: #882077
    ID: 202405-03

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in Dalli, which can lead to code
    injection.

    Background
    ==========

    Dalli is a high performance pure Ruby client for accessing memcached
    servers.

    Affected packages
    =================

    Package Vulnerable Unaffected
    -------------- ------------ ------------
    dev-ruby/dalli < 3.2.3 >= 3.2.3

    Description
    ===========

    A vulnerability was found in Dalli. Affected is the function
    self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb
    of the component Meta Protocol Handler. The manipulation leads to
    injection.

    Impact
    ======

    Please review the referenced CVE identifiers for details.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Dalli users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-ruby/dalli-3.2.3"

    References
    ==========

    [ 1 ] CVE-2022-4064
    https://nvd.nist.gov/vuln/detail/CVE-2022-4064

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202405-03

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmY12TUACgkQFMQkOaVy +9lxJBAAi3g1Z/Uv46tLc6OBy72GV5MQXd2RIcX/orG+/pOodm0Do2luD6K/oGHs MECKvxTyD6hPMeVTUiw/fSxQV7vSUVs9G2/2p4PDL28+FnynM5gL/DETBv8323IT s4FjY2Ggw/B/9Cqe8HpsCUezvPSx085VO8YpUZf9OeJsm8B9hMPg9rkOBngvrkwP 34hiNo8r42VS2H5RE9jMn+77SmTYMIf+zbEKnKe1oDLGE+jTVI9KaybSVPVPPRkn a6+i9GdI2xE8W8ZgDPrUwWD8t48Tgf0pM7WBMBWD0+04YtdfKkQcOlKXBujNkST4 tk1iojuEiJBP25TKkDX3meaOlcYbptH8nDYJ+lbNIndLPDJyAtciZJMuJGCV3Hnw Ch7Yp3QYFrsZ89IoPFTk1dwnFJmEVNSTt3Ky/qnhcBLlD18rdYo34fWt4B9d5iN1 f5xlhPfCsCLPrxhycCsgGTPC0I/OBKRWng6X8hMzuzJKtAbf+oH7Lr9dcnc3CLzJ ZNntPd76KDC34cafctYpsFfQpw9F5TmSHnu7p93dbvgjuU+eChMGyDVwz3NpECdU lmMFTj2ys88bSWDyWrhvAsC0He4E8EPnsx65txKibLDzpbD0D5E+bGReRbQ+L20q CZFvt/pcOrVy2JZRyV3tIyn2S4TOqKfqjMSx+AiT5CZn6NVH870=
    =nSs7
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)