diff -u memcached-1.4.14/debian/changelog memcached-1.4.14/debian/changelog
--- memcached-1.4.14/debian/changelog
+++ memcached-1.4.14/debian/changelog
@@ -1,3 +1,12 @@
+memcached (1.4.14-0ubuntu9.3) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: Integer Overflow in items.c:item_free()
+    - debian/patches/CVE-2018-1000127.patch: Don't overflow item refcount
+      on get in memcached.c.
+    - CVE-2018-1000127
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 19 Mar 2018 10:15:57 -0400
+
 memcached (1.4.14-0ubuntu9.2) trusty-security; urgency=medium
 
   * SECURITY UPDATE: denial of service due to integer overflow
diff -u memcached-1.4.14/debian/patches/series memcached-1.4.14/debian/patches/series
--- memcached-1.4.14/debian/patches/series
+++ memcached-1.4.14/debian/patches/series
@@ -13,0 +14 @@
+CVE-2018-1000127.patch
only in patch2:
unchanged:
--- memcached-1.4.14.orig/debian/patches/CVE-2018-1000127.patch
+++ memcached-1.4.14/debian/patches/CVE-2018-1000127.patch
@@ -0,0 +1,49 @@
+backport of:
+
+From a8c4a82787b8b6c256d61bd5c42fb7f92d1bae00 Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Sun, 21 May 2017 21:49:54 -0700
+Subject: [PATCH] Don't overflow item refcount on get
+
+Counts as a miss if the refcount is too high. ASCII multigets are the only
+time refcounts can be held for so long.
+
+doing a dirty read of refcount. is aligned.
+
+trying to avoid adding an extra refcount branch for all calls of item_get due
+to performance. might be able to move it in there after logging refactoring
+simplifies some of the branches.
+---
+ memcached.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+Index: memcached-1.4.14/memcached.c
+===================================================================
+--- memcached-1.4.14.orig/memcached.c	2018-03-19 10:15:46.911917127 -0400
++++ memcached-1.4.14/memcached.c	2018-03-19 10:15:46.911917127 -0400
+@@ -2715,6 +2715,16 @@ static void process_stat(conn *c, token_
+     }
+ }
+ 
++#define IT_REFCOUNT_LIMIT 60000
++static inline item* limited_get(char *key, size_t nkey) {
++    item *it = item_get(key, nkey);
++    if (it && it->refcount > IT_REFCOUNT_LIMIT) {
++        item_remove(it);
++        it = NULL;
++    }
++    return it;
++}
++
+ /* ntokens is overwritten here... shrug.. */
+ static inline void process_get_command(conn *c, token_t *tokens, size_t ntokens, bool return_cas) {
+     char *key;
+@@ -2736,7 +2746,7 @@ static inline void process_get_command(c
+                 return;
+             }
+ 
+-            it = item_get(key, nkey);
++            it = limited_get(key, nkey);
+             if (settings.detail_enabled) {
+                 stats_prefix_record_get(key, nkey, NULL != it);
+             }