memcached-1.6.9-2.3 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11045-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z memcached-1.6.9-2.3 on GA media These are all security issues fixed in the memcached-1.6.9-2.3 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11045 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-9951/ SUSE CVE CVE-2017-9951 page https://www.suse.com/security/cve/CVE-2018-1000115/ SUSE CVE CVE-2018-1000115 page https://www.suse.com/security/cve/CVE-2018-1000127/ SUSE CVE CVE-2018-1000127 page https://www.suse.com/security/cve/CVE-2020-10931/ SUSE CVE CVE-2020-10931 page openSUSE Tumbleweed memcached-1.6.9-2.3 memcached-devel-1.6.9-2.3 memcached-1.6.9-2.3 as a component of openSUSE Tumbleweed memcached-devel-1.6.9-2.3 as a component of openSUSE Tumbleweed The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8705. CVE-2017-9951 openSUSE Tumbleweed:memcached-1.6.9-2.3 openSUSE Tumbleweed:memcached-devel-1.6.9-2.3 critical 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-9951.html CVE-2017-9951 https://bugzilla.suse.com/1007870 SUSE Bug 1007870 https://bugzilla.suse.com/1056865 SUSE Bug 1056865 Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported by reliable sources). This attack appear to be exploitable via network connectivity to port 11211 UDP. This vulnerability appears to have been fixed in 1.5.6 due to the disabling of the UDP protocol by default. CVE-2018-1000115 openSUSE Tumbleweed:memcached-1.6.9-2.3 openSUSE Tumbleweed:memcached-devel-1.6.9-2.3 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000115.html CVE-2018-1000115 https://bugzilla.suse.com/1083903 SUSE Bug 1083903 memcached version prior to 1.4.37 contains an Integer Overflow vulnerability in items.c:item_free() that can result in data corruption and deadlocks due to items existing in hash table being reused from free list. This attack appear to be exploitable via network connectivity to the memcached service. This vulnerability appears to have been fixed in 1.4.37 and later. CVE-2018-1000127 openSUSE Tumbleweed:memcached-1.6.9-2.3 openSUSE Tumbleweed:memcached-devel-1.6.9-2.3 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000127.html CVE-2018-1000127 https://bugzilla.suse.com/1085209 SUSE Bug 1085209 Memcached 1.6.x before 1.6.2 allows remote attackers to cause a denial of service (daemon crash) via a crafted binary protocol header to try_read_command_binary in memcached.c. CVE-2020-10931 openSUSE Tumbleweed:memcached-1.6.9-2.3 openSUSE Tumbleweed:memcached-devel-1.6.9-2.3 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-10931.html CVE-2020-10931 https://bugzilla.suse.com/1167522 SUSE Bug 1167522