1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 4218-1] memcached security update

    From Salvatore Bonaccorso@1:229/2 to All on Wed Jun 6 21:00:01 2018
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4218-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso
    June 06, 2018 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : memcached
    CVE ID : CVE-2017-9951 CVE-2018-1000115 CVE-2018-1000127
    Debian Bug : 868701 894404

    Several vulnerabilities were discovered in memcached, a high-performance
    memory object caching system. The Common Vulnerabilities and Exposures
    project identifies the following problems:

    CVE-2017-9951

    Daniel Shapira reported a heap-based buffer over-read in memcached
    (resulting from an incomplete fix for CVE-2016-8705) triggered by
    specially crafted requests to add/set a key and allowing a remote
    attacker to cause a denial of service.

    CVE-2018-1000115

    It was reported that memcached listens to UDP by default. A remote
    attacker can take advantage of it to use the memcached service as a
    DDoS amplifier.

    Default installations of memcached in Debian are not affected by
    this issue as the installation defaults to listen only on localhost.
    This update disables the UDP port by default. Listening on the UDP
    can be re-enabled in the /etc/memcached.conf (cf.
    /usr/share/doc/memcached/NEWS.Debian.gz).

    CVE-2018-1000127

    An integer overflow was reported in memcached, resulting in resource
    leaks, data corruption, deadlocks or crashes.

    For the oldstable distribution (jessie), these problems have been fixed
    in version 1.4.21-1.1+deb8u2.

    For the stable distribution (stretch), these problems have been fixed in version 1.4.33-1+deb9u1.

    We recommend that you upgrade your memcached packages.

    For the detailed security status of memcached please refer to its
    security tracker page at:
    https://security-tracker.debian.org/tracker/memcached

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsYLGtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q+HhAAoEuUicW14NzDTX0yGH8ZluMAK4Woha1rODMJdchudHtMfTiqIhTfZhUk Gs8mOrR67F7XNKJx78DmIp7s1LNclwxbAt/UlUV3m+TaV3udK2Ai16kIaNms3soj JEkJI9W0w7EyG4q0oyvAaEDDRPP25m3LiO05mW2qDOZUpKYdGLxnONTFngMJ/3Ov bTNo8cUR203wyCSxyPv1Ye1Lr7anM61OzmUTg7pnE5a4e5D4ojrVx8Fjox43ppfa KIcdqtJCZ3jTZaBqgKc2XhuhbDoOv8/apWDqefqxWI+S0GiQHvS2PuWY5q5b79AW Xkppog9Q0NGj1Z6BX/G+LOwDGsp/kLtD+59rYdThBW2J5cKMrNOtgHlP6QjRfDYY TWQPTWJzbWvOLiNBqtmN+Ryvcwvi11dSl8OsY/7Kh430zwE4q2/I9IMvZ0emRFXx zw2QzlrpI5v753geHrV1UktPU8Wb/UWZbPZBCqmhTF5awLWY8NgcYZ5VowMuUqOG ODLQ+dN0MKlV/qQPC3VyGMruY8zLt7X8a2UPINI6R1qL0bJ6CVwGCAgIFVo1OyTp Yo6VXgYb0cIxmimh0q4up25FSXqXCh9ppbgZsvdFdAw4+zy1m9B0TprWJf+SRoms LYwT76G0a8yuBnzMF616PQsi1yR6eKTRGKXxY9Si9Ai5JfYtJZM=
    =HIAh
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)