Debian 9899 Published by

A memcached update has been released for Debian 7 LTS and an update for ruby-mixlib-archive has been released for Debian 8/9:

[DLA 1033-1] memcached security update
[DSA 3915-1] ruby-mixlib-archive security update

[DLA 1033-1] memcached security update

Package : memcached
Version : 1.4.13-0.2+deb7u3
CVE ID : CVE-2017-9951
Debian Bug : #868701

It was discovered that there was a remote denial-of-service (DoS) vulnerability
in memcached, a high-performance memory object caching system.

The try_read_command function allowed remote attackers to cause a DoS via a
request to add/set a key that makes a comparison between a signed and unsigned
integer which triggered a heap-based buffer over-read.

This vulnerability existed due to an incomplete upstream fix for CVE-2016-8705.

For Debian 7 "Wheezy", this issue has been fixed in memcached version

We recommend that you upgrade your memcached packages.

[DSA 3915-1] ruby-mixlib-archive security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3915-1 Sebastien Delafond
July 20, 2017
- -------------------------------------------------------------------------

Package : ruby-mixlib-archive
CVE ID : CVE-2017-1000026
Debian Bug : 868572

It was discovered that ruby-mixlib-archive, a Chef Software's library
used to handle various archive formats, was vulnerable to a directory
traversal attack. This allowed attackers to overwrite arbitrary files
by using a malicious tar archive containing ".." in its entries.

For the stable distribution (stretch), this problem has been fixed in
version 0.2.0-1+deb9u1.

We recommend that you upgrade your ruby-mixlib-archive packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: