Your message dated Sun, 17 Jun 2018 18:03:42 +0000 with message-id <e1fuc1e-0004mh...@fasolo.debian.org> and subject line Bug#894404: fixed in memcached 1.4.21-1.1+deb8u2 has caused the Debian Bug report #894404, regarding memcached: CVE-2018-1000127 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 894404: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894404 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: memcached X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for memcached: CVE-2018-1000127[0]: | memcached version prior to 1.4.37 contains an Integer Overflow | vulnerability in items.c:item_free() that can result in data | corruption and deadlocks due to items existing in hash table being | reused from free list. This attack appear to be exploitable via | network connectivity to the memcached service. This vulnerability | appears to have been fixed in 1.4.37 and later. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1000127 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000127 Please adjust the affected versions in the BTS as needed.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: memcached Source-Version: 1.4.21-1.1+deb8u2 We believe that the bug you reported is fixed in the latest version of memcached, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 894...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated memcached package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 03 Jun 2018 15:21:23 +0200 Source: memcached Binary: memcached Architecture: source Version: 1.4.21-1.1+deb8u2 Distribution: jessie-security Urgency: high Maintainer: David MartÃnez Moreno <en...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 868701 894404 Description: memcached - high-performance memory object caching system Changes: memcached (1.4.21-1.1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Heap-based buffer over-read in try_read_command function (CVE-2017-9951) (Closes: #868701) * disable UDP port by default (CVE-2018-1000115) * debian/NEWS: Add explanation and document how to re-enable UDP if necessary * Don't overflow item refcount on get (CVE-2018-1000127) (Closes: #894404) Checksums-Sha1: 6901d63d584bde6a11f7d422bab6712d2696bf89 2194 memcached_1.4.21-1.1+deb8u2.dsc 2016df8d8b356050e61fb31b7a672b22977a5aaa 17396 memcached_1.4.21-1.1+deb8u2.debian.tar.xz Checksums-Sha256: 1708eeb259b35d9240bed705243958cf0794f056e8077c700fb0040b8b17cfa0 2194 memcached_1.4.21-1.1+deb8u2.dsc 04cbe5dc6f9bafc493a0a73ca32fabe4e3428c85d9ea9b3e2ae1206005c0096c 17396 memcached_1.4.21-1.1+deb8u2.debian.tar.xz Files: 6c6e7171237601151b0f900dd19a0cf7 2194 web optional memcached_1.4.21-1.1+deb8u2.dsc fbb18fe88d8e9fc41a996845593326af 17396 web optional memcached_1.4.21-1.1+deb8u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsT7qxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EShUQAIoamPmJD8hR1YtuR2do7V/+7mFi2JfP DUPiX7xL3h//NScynuybporLRZU6/aDH2njxYt3AiJ+Y3SUwiKiF/bbyFaHF9S/+ 5IERDKqYEQgNaYeNW5GS8dU/XWmUBBUUf/3Wm091AwDyIOxSAYAZ4oTlem1xNtkE GNDNqOQbKdAEjieCChEpkUDTh2Nbm4bLQFZ/7PIicBuAq7lqqI4IXyyuMckdm6HC 7J+Qaa02roYMy8SnwkRuC3GZnOlR+XrsSExU5jL8dILda+sn+aY1JlCNID+VwPb/ C5G22U+4HevdudCg9xST81yrv0JfLuD600J0EEX9aPYoxSF5La4YNVZAQ0koJbLl Skn/jz7X3IeY0p/unTktXVlzU0agSKQIYqVRu7urbV7PD8TkwsuclR4yLydj4TxE phN+UytX78BEjB/AeST71r3wSaKrjUDIb+PBDvFRa/EpKjpHCbAagevd2CigdXyr zd1c3J2cTpYvChWoBqdkSMbQqHXfroWML7xUcqQR73OGyVZx97C/Vyw9Ipf1o1gj x70KcuEyvzlNjuodONYbtsVtgTS+LSEIAvxuByxknpj+Z1I38RgUPn5vXrmvG879 P6mvWSh6VYVZUFT6amPVfmBe2bJfxUaDuYq7wkY9KwMyvKIX1Sw6Jl+vauoHWxSP ZCftmTrnTVBk =rCFr -----END PGP SIGNATURE-----
--- End Message ---
