Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1703 memcached security update 7 June 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: memcached Publisher: Debian Operating System: Debian GNU/Linux 8 Debian GNU/Linux 9 Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-1000127 CVE-2018-1000115 CVE-2017-9951 CVE-2016-8705 Reference: ASB-2016.0099 ESB-2018.0959 ESB-2016.2800 ESB-2016.2606 Original Bulletin: http://www.debian.org/security/2018/dsa-4218 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4218-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 06, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : memcached CVE ID : CVE-2017-9951 CVE-2018-1000115 CVE-2018-1000127 Debian Bug : 868701 894404 Several vulnerabilities were discovered in memcached, a high-performance memory object caching system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-9951 Daniel Shapira reported a heap-based buffer over-read in memcached (resulting from an incomplete fix for CVE-2016-8705) triggered by specially crafted requests to add/set a key and allowing a remote attacker to cause a denial of service. CVE-2018-1000115 It was reported that memcached listens to UDP by default. A remote attacker can take advantage of it to use the memcached service as a DDoS amplifier. Default installations of memcached in Debian are not affected by this issue as the installation defaults to listen only on localhost. This update disables the UDP port by default. Listening on the UDP can be re-enabled in the /etc/memcached.conf (cf. /usr/share/doc/memcached/NEWS.Debian.gz). CVE-2018-1000127 An integer overflow was reported in memcached, resulting in resource leaks, data corruption, deadlocks or crashes. For the oldstable distribution (jessie), these problems have been fixed in version 1.4.21-1.1+deb8u2. For the stable distribution (stretch), these problems have been fixed in version 1.4.33-1+deb9u1. We recommend that you upgrade your memcached packages. For the detailed security status of memcached please refer to its security tracker page at: https://security-tracker.debian.org/tracker/memcached Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsYLGtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q+HhAAoEuUicW14NzDTX0yGH8ZluMAK4Woha1rODMJdchudHtMfTiqIhTfZhUk Gs8mOrR67F7XNKJx78DmIp7s1LNclwxbAt/UlUV3m+TaV3udK2Ai16kIaNms3soj JEkJI9W0w7EyG4q0oyvAaEDDRPP25m3LiO05mW2qDOZUpKYdGLxnONTFngMJ/3Ov bTNo8cUR203wyCSxyPv1Ye1Lr7anM61OzmUTg7pnE5a4e5D4ojrVx8Fjox43ppfa KIcdqtJCZ3jTZaBqgKc2XhuhbDoOv8/apWDqefqxWI+S0GiQHvS2PuWY5q5b79AW Xkppog9Q0NGj1Z6BX/G+LOwDGsp/kLtD+59rYdThBW2J5cKMrNOtgHlP6QjRfDYY TWQPTWJzbWvOLiNBqtmN+Ryvcwvi11dSl8OsY/7Kh430zwE4q2/I9IMvZ0emRFXx zw2QzlrpI5v753geHrV1UktPU8Wb/UWZbPZBCqmhTF5awLWY8NgcYZ5VowMuUqOG ODLQ+dN0MKlV/qQPC3VyGMruY8zLt7X8a2UPINI6R1qL0bJ6CVwGCAgIFVo1OyTp Yo6VXgYb0cIxmimh0q4up25FSXqXCh9ppbgZsvdFdAw4+zy1m9B0TprWJf+SRoms LYwT76G0a8yuBnzMF616PQsi1yR6eKTRGKXxY9Si9Ai5JfYtJZM= =HIAh - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWxjC12aOgq3Tt24GAQiJ3g//XWlba4xpD4bOTSTe4cNpg2T5Xrm9SrmI buHxvDTxCJnokBhHXey++tZWQ84XimHMEnv7N5uqwfmh3aHYLwcu8IW3SQvMacRU zeV+7VqrcaZSUcWHNnPD/t2ETOOJwjbWGWXVCGeM17TKSr8GFq+A15VMav0FVhOS IdNmFdpDyx0AhUdEVaIgFD2wUn6+2rvznnQZejvm+LQca/T2+GluuY82m7j3Uqtf KNK5sl2wU0ZLjsN75Y5uMKVzqGf32wo6UUV1Zb+CiIfQ+MU3tNIzR3k2l0NzrL7u 8A+YfYEa3FvcbejA9r7eg4IcGU9x9swt6aEhUy+lMBSiWPX8GpKzwrbJew4ncw1x RIqQbHTO3UmIa/G0Uv0zQD8DYnlW2xYBS1rX+e51G8mduk8oHFXT7KTRTzoOnb7z MS7WjFbmnpFx07xsDZGlaEtuWGoIsSJiU8ANj8r1cwj+d5tcPidaBK97mF8OVmBi ChRRuxW2dI+9UkUEym46bP1IOm24fgXVcYmShulY+r9abiKXXnnCbBUE8+O2PXwH Tvt5PbUYzOCMtPU9GIg64i7SWVKWSgZGwaZE5ZS5ZoPJsCYREjdP3S8sn/Sootqt syrAxruRUHjfasCfrrl9ASyNBOd/iYqvyFzRUh4LNeJ45BG/9urLVQ+Ubm6f1ym5 j4Cp13otUBU= =LQYT -----END PGP SIGNATURE-----