Your message dated Tue, 12 Jun 2018 22:04:04 +0000 with message-id <e1fsrow-00091b...@fasolo.debian.org> and subject line Bug#894404: fixed in memcached 1.4.33-1+deb9u1 has caused the Debian Bug report #894404, regarding memcached: CVE-2018-1000127 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 894404: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894404 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: memcached X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for memcached: CVE-2018-1000127[0]: | memcached version prior to 1.4.37 contains an Integer Overflow | vulnerability in items.c:item_free() that can result in data | corruption and deadlocks due to items existing in hash table being | reused from free list. This attack appear to be exploitable via | network connectivity to the memcached service. This vulnerability | appears to have been fixed in 1.4.37 and later. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1000127 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000127 Please adjust the affected versions in the BTS as needed.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: memcached Source-Version: 1.4.33-1+deb9u1 We believe that the bug you reported is fixed in the latest version of memcached, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 894...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated memcached package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 03 Jun 2018 11:37:55 +0200 Source: memcached Binary: memcached Architecture: source Version: 1.4.33-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: David MartÃnez Moreno <en...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 868701 894404 Description: memcached - high-performance memory object caching system Changes: memcached (1.4.33-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Guillaume Delacour ] * Fix CVE-2017-9951 by checking the integer length of commands that adds or replaces key/value pair (Closes: #868701) * Fix CVE-2018-1000115 + debian/patches/10_CVE-2018-1000115.patch disable listening on UDP port by default (from Ubuntu) + debian/NEWS add explanation and document how to re-enable UDP if necessary. . [ Salvatore Bonaccorso ] * Don't overflow item refcount on get (CVE-2018-1000127) (Closes: #894404) Checksums-Sha1: dcf4313a69410c9c2f911e96dfe3c250480cdd1a 2203 memcached_1.4.33-1+deb9u1.dsc e343530c55946ccbdd78c488355b02eaf90b3b46 389813 memcached_1.4.33.orig.tar.gz b47209f2fe7cf3421c7c8af47fdd8b285fff25d9 15924 memcached_1.4.33-1+deb9u1.debian.tar.xz Checksums-Sha256: a739f2e38eb01c38108da37febf9958aac020ea090db83c4fc1a37e43cb25356 2203 memcached_1.4.33-1+deb9u1.dsc 83726c8d68258c56712373072abb25a449c257398075a39ec0867fd8ba69771d 389813 memcached_1.4.33.orig.tar.gz 9f15cacc3a2b7cbbb73aa681325e078e4de066cc65c07c4b572ab43132b67171 15924 memcached_1.4.33-1+deb9u1.debian.tar.xz Files: 9e5331a297dc4771f5e45d410d26a04c 2203 web optional memcached_1.4.33-1+deb9u1.dsc 2d7f6476283cd36e21e521d901d37a8f 389813 web optional memcached_1.4.33.orig.tar.gz d36d194545c3cfcd799411fa0e2ec0a9 15924 web optional memcached_1.4.33-1+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsTwqpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E9j8P/jLrczwmr72EyXHcAoK+eFS29cnOGcTd ta2PFh0bktqfNYUR2uP8BNekQkds1S/dI/Dlo4+qrQyuyLTbEXV00NgMCOm7vh+M 8dLa4uWBZYJtnbMDQ0kwL/ExSbPKL7xKzlZ82/eRBsmTA0aIUbCgSe33azPjwSaW cHdrqWzlyv+C5ClzatyFXHY9kqLQbszU35P2I59IcHo2mqR6x4AsKYH0iDSIc3lj +2TKZf3HcUg4s0zpwwEs/41LyYWU1LcToyXwynHAElTEtDQl5YO6yrKkgd+ZB2We 4GAyRWkEQHBMYEO9kSQagBXbaLm/07/+89JJPTrBg1WikMVdxJV8GIcX7qRUNN2f PVv5j8DD/NEDrDbpjEOltWp4eI1kEVjOSVjtiMomxKqVyQx33Bp6tQLGedpBovd5 Q8xgNAleAUPW350W0gwaT1JtaCDegcr8vAebalzqWbHawgWX0/FqXVommm6sTg4I UzhaPdvZEfG4Yll0TVygSmqdXiVbz7SmJLu082STBaTF4mSJkFnCH6O9rekEtkUh /EZDbAtfZ3Ac0hTtp+MfXQKiCpe6ZeM2h1K+xcV4oxWogpvWnHGXryq5PGxFSUoY 7P6wf2qkmgQUjqpShqYMpMKWMCKTuJt8DX5wS2pLGiEfKsD8wV8Bfq5DkoF0+nm0 LpW0wvmN0X3T =C+iC -----END PGP SIGNATURE-----
--- End Message ---
