PublicDateAtUSN: 2018-03-13
Candidate: CVE-2018-1000127
PublicDate: 2018-03-13 21:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000127
 https://github.com/memcached/memcached/wiki/ReleaseNotes1437
 https://ubuntu.com/security/notices/USN-3601-1
Description:
 memcached version prior to 1.4.37 contains an Integer Overflow
 vulnerability in items.c:item_free() that can result in data corruption and
 deadlocks due to items existing in hash table being reused from free list.
 This attack appear to be exploitable via network connectivity to the
 memcached service. This vulnerability appears to have been fixed in 1.4.37
 and later.
Ubuntu-Description:
Notes:
Bugs:
 https://github.com/memcached/memcached/issues/271
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

Patches_memcached:
 upstream: https://github.com/memcached/memcached/commit/a8c4a82787b8b6c256d61bd5c42fb7f92d1bae00
upstream_memcached: released (1.5.0-1)
precise/esm_memcached: DNE
trusty_memcached: released (1.4.14-0ubuntu9.3)
trusty/esm_memcached: DNE (trusty was released [1.4.14-0ubuntu9.3])
xenial_memcached: released (1.4.25-2ubuntu1.4)
esm-infra/xenial_memcached: released (1.4.25-2ubuntu1.4)
artful_memcached: released (1.4.33-1ubuntu3.3)
devel_memcached: not-affected (1.5.6-0ubuntu1)