CVE-2018-1000127 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000127): memcached version prior to 1.4.37 contains an Integer Overflow vulnerability in items.c:item_free() that can result in data corruption and deadlocks due to items existing in hash table being reused from free list. This attack appear to be exploitable via network connectivity to the memcached service. This vulnerability appears to have been fixed in 1.4.37 and later.
@ Maintainer(s): Please cleanup and drop vulnerable version =net-misc/memcached-1.4.33!
sure that's the correct CVE? seems like we are adding another digit every year
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c98a5717c9b92ec1cf9921dd5f8065791dffff89 commit c98a5717c9b92ec1cf9921dd5f8065791dffff89 Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2018-08-06 16:19:46 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2018-08-06 16:20:03 +0000 net-misc/memcached: remove old for CVE-2018-1000127 Bug: https://bugs.gentoo.org/662888 Package-Manager: Portage-2.3.43, Repoman-2.3.10 net-misc/memcached/Manifest | 5 -- net-misc/memcached/memcached-1.4.33.ebuild | 83 -------------------------- net-misc/memcached/memcached-1.5.5.ebuild | 95 ------------------------------ net-misc/memcached/memcached-1.5.6.ebuild | 95 ------------------------------ net-misc/memcached/memcached-1.5.7.ebuild | 95 ------------------------------ net-misc/memcached/memcached-1.5.8.ebuild | 95 ------------------------------ 6 files changed, 468 deletions(-)
GLSA vote: No