From ${URL} : The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8705. References: https://www.twistlock.com/2017/07/13/cve-2017-9951-heap-overflow-memcached-server-1-4-38-twistlock-vulnerability-report/ https://github.com/memcached/memcached/wiki/ReleaseNotes1439 https://groups.google.com/forum/message/raw?msg=memcached/ubGWrkmrr4E/nrm1SeVJAQAJ @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
It is ready for stablization, I'd target 1.4.39 and not 1.5.0 as 1.5.0 hasn't had much time. We'll need the following stablereqs though. alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
@arches, please stabilize.
ia64 stable
stable 1.4.39 for ppc/ppc64
Stable on amd64.
arm stable
x86 stable
Stable on alpha.
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
so I guess we are just waiting on hppa then?
(In reply to Matthew Thode ( prometheanfire ) from comment #10) > so I guess we are just waiting on hppa then? Yes.
commit 608512e3c86a80f941a9a9161a1af204035f6c1d Author: Rolf Eike Beer <eike@sf-mail.de> Date: Sat Jan 27 23:25:40 2018 +0100 net-misc/memcached: stable 1.4.39 for sparc, bug #625494
hppa, a ping?
commit 722a44f9273423e6296ef04a1d8c259deea333f1 Author: Jeroen Roovers <jer@gentoo.org> Date: Tue Mar 13 17:07:34 2018 +0100 net-misc/memcached: Stable for HPPA too.
