Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-701-1 memcached

Debian Security Advisory

DLA-701-1 memcached -- LTS security update

Date Reported:

05 Nov 2016

Affected Packages:

memcached

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 735314, Bug 842811, Bug 842812, Bug 842814.
In Mitre's CVE dictionary: CVE-2013-7291, CVE-2016-8704, CVE-2016-8705, CVE-2016-8706.

More information:

Multiple vulnerabilites have been found in memcached, a high-performance memory object caching system. A remote attacker could take advantage of these flaws to cause a denial of service (daemon crash), or potentially to execute arbitrary code.

• CVE-2013-7291

  It was discovered that memcached, when running in verbose mode, can be crashed by sending carefully crafted requests that trigger an unbounded key print, resulting in a daemon crash.

• CVE-2016-8704 / CVE-2016-8705 / CVE-2016-8706

  Aleksandar Nikolic of Cisco Talos found several vulnerabilities in memcached. A remote attacker could cause an integer overflow by sending carefully crafted requests to the memcached server, resulting in a daemon crash.

For Debian 7 Wheezy, these problems have been fixed in version 1.4.13-0.2+deb7u2.

We recommend that you upgrade your memcached packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS