Debian Bug report logs -
#894404
memcached: CVE-2018-1000127
Reported by: Antoine Beaupre <anarcat@orangeseeds.org>
Date: Thu, 29 Mar 2018 21:33:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version memcached/1.4.21-1.1
Fixed in versions memcached/1.5.0-1, 1.4.13-0.2+deb7u4, memcached/1.4.33-1+deb9u1, memcached/1.4.21-1.1+deb8u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Guillaume Delacour <gui@iroqwa.org>:
Bug#894404; Package memcached.
(Thu, 29 Mar 2018 21:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupre <anarcat@orangeseeds.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Guillaume Delacour <gui@iroqwa.org>.
(Thu, 29 Mar 2018 21:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: memcached
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for memcached:
CVE-2018-1000127[0]:
| memcached version prior to 1.4.37 contains an Integer Overflow
| vulnerability in items.c:item_free() that can result in data
| corruption and deadlocks due to items existing in hash table being
| reused from free list. This attack appear to be exploitable via
| network connectivity to the memcached service. This vulnerability
| appears to have been fixed in 1.4.37 and later.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000127
Please adjust the affected versions in the BTS as needed.
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions memcached/1.4.21-1.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 29 Mar 2018 21:42:02 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 29 Mar 2018 21:42:03 GMT) (full text, mbox, link).
Marked as fixed in versions memcached/1.5.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 29 Mar 2018 21:42:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 29 Mar 2018 21:42:05 GMT) (full text, mbox, link).
Notification sent
to Antoine Beaupre <anarcat@orangeseeds.org>:
Bug acknowledged by developer.
(Thu, 29 Mar 2018 21:42:06 GMT) (full text, mbox, link).
Message sent on
to Antoine Beaupre <anarcat@orangeseeds.org>:
Bug#894404.
(Thu, 29 Mar 2018 21:42:08 GMT) (full text, mbox, link).
Message #18 received at 894404-submitter@bugs.debian.org (full text, mbox, reply):
found 894404 1.4.21-1.1
tags 894404 + upstream fixed-upstream
close 894404 1.5.0-1
thanks
Marked as fixed in versions 1.4.13-0.2+deb7u4.
Request was from Antoine Beaupré <anarcat@debian.org>
to control@bugs.debian.org.
(Thu, 29 Mar 2018 22:27:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 12 Jun 2018 22:06:13 GMT) (full text, mbox, link).
Notification sent
to Antoine Beaupre <anarcat@orangeseeds.org>:
Bug acknowledged by developer.
(Tue, 12 Jun 2018 22:06:13 GMT) (full text, mbox, link).
Message #25 received at 894404-close@bugs.debian.org (full text, mbox, reply):
Source: memcached
Source-Version: 1.4.33-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 894404@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated memcached package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 03 Jun 2018 11:37:55 +0200
Source: memcached
Binary: memcached
Architecture: source
Version: 1.4.33-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 868701 894404
Description:
memcached - high-performance memory object caching system
Changes:
memcached (1.4.33-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
.
[ Guillaume Delacour ]
* Fix CVE-2017-9951 by checking the integer length of commands that adds or
replaces key/value pair (Closes: #868701)
* Fix CVE-2018-1000115
+ debian/patches/10_CVE-2018-1000115.patch disable listening on UDP port
by default (from Ubuntu)
+ debian/NEWS add explanation and document how to re-enable UDP if
necessary.
.
[ Salvatore Bonaccorso ]
* Don't overflow item refcount on get (CVE-2018-1000127) (Closes: #894404)
Checksums-Sha1:
dcf4313a69410c9c2f911e96dfe3c250480cdd1a 2203 memcached_1.4.33-1+deb9u1.dsc
e343530c55946ccbdd78c488355b02eaf90b3b46 389813 memcached_1.4.33.orig.tar.gz
b47209f2fe7cf3421c7c8af47fdd8b285fff25d9 15924 memcached_1.4.33-1+deb9u1.debian.tar.xz
Checksums-Sha256:
a739f2e38eb01c38108da37febf9958aac020ea090db83c4fc1a37e43cb25356 2203 memcached_1.4.33-1+deb9u1.dsc
83726c8d68258c56712373072abb25a449c257398075a39ec0867fd8ba69771d 389813 memcached_1.4.33.orig.tar.gz
9f15cacc3a2b7cbbb73aa681325e078e4de066cc65c07c4b572ab43132b67171 15924 memcached_1.4.33-1+deb9u1.debian.tar.xz
Files:
9e5331a297dc4771f5e45d410d26a04c 2203 web optional memcached_1.4.33-1+deb9u1.dsc
2d7f6476283cd36e21e521d901d37a8f 389813 web optional memcached_1.4.33.orig.tar.gz
d36d194545c3cfcd799411fa0e2ec0a9 15924 web optional memcached_1.4.33-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsTwqpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E9j8P/jLrczwmr72EyXHcAoK+eFS29cnOGcTd
ta2PFh0bktqfNYUR2uP8BNekQkds1S/dI/Dlo4+qrQyuyLTbEXV00NgMCOm7vh+M
8dLa4uWBZYJtnbMDQ0kwL/ExSbPKL7xKzlZ82/eRBsmTA0aIUbCgSe33azPjwSaW
cHdrqWzlyv+C5ClzatyFXHY9kqLQbszU35P2I59IcHo2mqR6x4AsKYH0iDSIc3lj
+2TKZf3HcUg4s0zpwwEs/41LyYWU1LcToyXwynHAElTEtDQl5YO6yrKkgd+ZB2We
4GAyRWkEQHBMYEO9kSQagBXbaLm/07/+89JJPTrBg1WikMVdxJV8GIcX7qRUNN2f
PVv5j8DD/NEDrDbpjEOltWp4eI1kEVjOSVjtiMomxKqVyQx33Bp6tQLGedpBovd5
Q8xgNAleAUPW350W0gwaT1JtaCDegcr8vAebalzqWbHawgWX0/FqXVommm6sTg4I
UzhaPdvZEfG4Yll0TVygSmqdXiVbz7SmJLu082STBaTF4mSJkFnCH6O9rekEtkUh
/EZDbAtfZ3Ac0hTtp+MfXQKiCpe6ZeM2h4K+xcV4oxWogpvWnHGXryq5PGxFSUoY
7P6wf2qkmgQUjqpShqYMpMKWMCKTuJt8DX5wS2pLGiEfKsD8wV8Bfq5DkoF0+nm0
LpW0wvmN0X3T
=C+iC
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 17 Jun 2018 18:06:09 GMT) (full text, mbox, link).
Notification sent
to Antoine Beaupre <anarcat@orangeseeds.org>:
Bug acknowledged by developer.
(Sun, 17 Jun 2018 18:06:10 GMT) (full text, mbox, link).
Message #30 received at 894404-close@bugs.debian.org (full text, mbox, reply):
Source: memcached
Source-Version: 1.4.21-1.1+deb8u2
We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 894404@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated memcached package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 03 Jun 2018 15:21:23 +0200
Source: memcached
Binary: memcached
Architecture: source
Version: 1.4.21-1.1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 868701 894404
Description:
memcached - high-performance memory object caching system
Changes:
memcached (1.4.21-1.1+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Heap-based buffer over-read in try_read_command function (CVE-2017-9951)
(Closes: #868701)
* disable UDP port by default (CVE-2018-1000115)
* debian/NEWS: Add explanation and document how to re-enable UDP if
necessary
* Don't overflow item refcount on get (CVE-2018-1000127) (Closes: #894404)
Checksums-Sha1:
6901d63d584bde6a11f7d422bab6712d2696bf89 2194 memcached_1.4.21-1.1+deb8u2.dsc
2016df8d8b356050e61fb31b7a672b22977a5aaa 17396 memcached_1.4.21-1.1+deb8u2.debian.tar.xz
Checksums-Sha256:
1708eeb259b35d9240bed705243958cf0794f056e8077c700fb0040b8b17cfa0 2194 memcached_1.4.21-1.1+deb8u2.dsc
04cbe5dc6f9bafc493a0a73ca32fabe4e3428c85d9ea9b3e2ae1206005c0096c 17396 memcached_1.4.21-1.1+deb8u2.debian.tar.xz
Files:
6c6e7171237601151b0f900dd19a0cf7 2194 web optional memcached_1.4.21-1.1+deb8u2.dsc
fbb18fe88d8e9fc41a996845593326af 17396 web optional memcached_1.4.21-1.1+deb8u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsT7qxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EShUQAIoamPmJD8hR1YtuR2do7V/+7mFi2JfP
DUPiX7xL3h//NScynuybporLRZU6/aDH2njxYt3AiJ+Y3SUwiKiF/bbyFaHF9S/+
5IERDKqYEQgNaYeNW5GS8dU/XWmUBBUUf/3Wm091AwDyIOxSAYAZ4oTlem1xNtkE
GNDNqOQbKdAEjieCChEpkUDTh4Nbm4bLQFZ/7PIicBuAq7lqqI4IXyyuMckdm6HC
7J+Qaa02roYMy8SnwkRuC3GZnOlR+XrsSExU5jL8dILda+sn+aY1JlCNID+VwPb/
C5G22U+4HevdudCg9xST81yrv0JfLuD600J0EEX9aPYoxSF5La4YNVZAQ0koJbLl
Skn/jz7X3IeY0p/unTktXVlzU0agSKQIYqVRu7urbV7PD8TkwsuclR4yLydj4TxE
phN+UytX78BEjB/AeST71r3wSaKrjUDIb+PBDvFRa/EpKjpHCbAagevd2CigdXyr
zd1c3J2cTpYvChWoBqdkSMbQqHXfroWML7xUcqQR73OGyVZx97C/Vyw9Ipf1o1gj
x70KcuEyvzlNjuodONYbtsVtgTS+LSEIAvxuByxknpj+Z1I38RgUPn5vXrmvG879
P6mvWSh6VYVZUFT6amPVfmBe2bJfxUaDuYq7wkY9KwMyvKIX1Sw6Jl+vauoHWxSP
ZCftmTrnTVBk
=rCFr
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 03 Feb 2019 07:25:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:44:11 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon