Debian Security Advisory

DLA-701-1 memcached -- LTS security update

Date Reported:
05 Nov 2016
Affected Packages:
memcached
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 735314, Bug 842811, Bug 842812, Bug 842814.
In Mitre's CVE dictionary: CVE-2013-7291, CVE-2016-8704, CVE-2016-8705, CVE-2016-8706.
More information:

Multiple vulnerabilites have been found in memcached, a high-performance memory object caching system. A remote attacker could take advantage of these flaws to cause a denial of service (daemon crash), or potentially to execute arbitrary code.

  • CVE-2013-7291

    It was discovered that memcached, when running in verbose mode, can be crashed by sending carefully crafted requests that trigger an unbounded key print, resulting in a daemon crash.

  • CVE-2016-8704 / CVE-2016-8705 / CVE-2016-8706

    Aleksandar Nikolic of Cisco Talos found several vulnerabilities in memcached. A remote attacker could cause an integer overflow by sending carefully crafted requests to the memcached server, resulting in a daemon crash.

For Debian 7 Wheezy, these problems have been fixed in version 1.4.13-0.2+deb7u2.

We recommend that you upgrade your memcached packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS