The process_bin_delete function in memcached.c in memcached 1.4.4 and other
versions before 1.4.17, when running in verbose mode, allows remote
attackers to cause a denial of service (segmentation fault) via a request
to delete a key, which does not account for the lack of a null terminator
in the key and triggers a buffer over-read when printing to stderr.
jdstrand> requires '-vv' with is non-default
mdeslaur> The second commit in the bug report was split out into two
mdeslaur> additional CVEs, CVE-2013-7290 and CVE-2013-7291.
Updated: 2014-01-15 18:14:42 UTC (commit 7645)