Your message dated Tue, 12 Jun 2018 22:04:04 +0000
with message-id <e1fsrow-00091u...@fasolo.debian.org>
and subject line Bug#868701: fixed in memcached 1.4.33-1+deb9u1
has caused the Debian Bug report #868701,
regarding memcached: CVE-2017-9951: Heap-based buffer over-read in 
try_read_command function
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
868701: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868701
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: memcached
Version: 1.4.33-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for memcached.

CVE-2017-9951[0]:
| The try_read_command function in memcached.c in memcached before 1.4.39
| allows remote attackers to cause a denial of service (segmentation
| fault) via a request to add/set a key, which makes a comparison between
| signed and unsigned int and triggers a heap-based buffer over-read.
| NOTE: this vulnerability exists because of an incomplete fix for
| CVE-2016-8705.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9951
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9951

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: memcached
Source-Version: 1.4.33-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 11:37:55 +0200
Source: memcached
Binary: memcached
Architecture: source
Version: 1.4.33-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: David Martínez Moreno <en...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 868701 894404
Description: 
 memcached  - high-performance memory object caching system
Changes:
 memcached (1.4.33-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
 .
   [ Guillaume Delacour ]
   * Fix CVE-2017-9951 by checking the integer length of commands that adds or
     replaces key/value pair (Closes: #868701)
   * Fix CVE-2018-1000115
     + debian/patches/10_CVE-2018-1000115.patch disable listening on UDP port
       by default (from Ubuntu)
     + debian/NEWS add explanation and document how to re-enable UDP if
       necessary.
 .
   [ Salvatore Bonaccorso ]
   * Don't overflow item refcount on get (CVE-2018-1000127) (Closes: #894404)
Checksums-Sha1: 
 dcf4313a69410c9c2f911e96dfe3c250480cdd1a 2203 memcached_1.4.33-1+deb9u1.dsc
 e343530c55946ccbdd78c488355b02eaf90b3b46 389813 memcached_1.4.33.orig.tar.gz
 b47209f2fe7cf3421c7c8af47fdd8b285fff25d9 15924 
memcached_1.4.33-1+deb9u1.debian.tar.xz
Checksums-Sha256: 
 a739f2e38eb01c38108da37febf9958aac020ea090db83c4fc1a37e43cb25356 2203 
memcached_1.4.33-1+deb9u1.dsc
 83726c8d68258c56712373072abb25a449c257398075a39ec0867fd8ba69771d 389813 
memcached_1.4.33.orig.tar.gz
 9f15cacc3a2b7cbbb73aa681325e078e4de066cc65c07c4b572ab43132b67171 15924 
memcached_1.4.33-1+deb9u1.debian.tar.xz
Files: 
 9e5331a297dc4771f5e45d410d26a04c 2203 web optional 
memcached_1.4.33-1+deb9u1.dsc
 2d7f6476283cd36e21e521d901d37a8f 389813 web optional 
memcached_1.4.33.orig.tar.gz
 d36d194545c3cfcd799411fa0e2ec0a9 15924 web optional 
memcached_1.4.33-1+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsTwqpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E9j8P/jLrczwmr72EyXHcAoK+eFS29cnOGcTd
ta2PFh0bktqfNYUR2uP8BNekQkds1S/dI/Dlo4+qrQyuyLTbEXV00NgMCOm7vh+M
8dLa4uWBZYJtnbMDQ0kwL/ExSbPKL7xKzlZ82/eRBsmTA0aIUbCgSe33azPjwSaW
cHdrqWzlyv+C5ClzatyFXHY9kqLQbszU35P2I59IcHo2mqR6x4AsKYH0iDSIc3lj
+2TKZf3HcUg4s0zpwwEs/41LyYWU1LcToyXwynHAElTEtDQl5YO6yrKkgd+ZB2We
4GAyRWkEQHBMYEO9kSQagBXbaLm/07/+89JJPTrBg1WikMVdxJV8GIcX7qRUNN2f
PVv5j8DD/NEDrDbpjEOltWp4eI1kEVjOSVjtiMomxKqVyQx33Bp6tQLGedpBovd5
Q8xgNAleAUPW350W0gwaT1JtaCDegcr8vAebalzqWbHawgWX0/FqXVommm6sTg4I
UzhaPdvZEfG4Yll0TVygSmqdXiVbz7SmJLu082STBaTF4mSJkFnCH6O9rekEtkUh
/EZDbAtfZ3Ac0hTtp+MfXQKiCpe6ZeM2h1K+xcV4oxWogpvWnHGXryq5PGxFSUoY
7P6wf2qkmgQUjqpShqYMpMKWMCKTuJt8DX5wS2pLGiEfKsD8wV8Bfq5DkoF0+nm0
LpW0wvmN0X3T
=C+iC
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to