diff -Nru memcached-1.4.25/debian/changelog memcached-1.4.25/debian/changelog
--- memcached-1.4.25/debian/changelog	2018-03-05 09:28:30.000000000 +0000
+++ memcached-1.4.25/debian/changelog	2018-03-19 14:15:02.000000000 +0000
@@ -1,3 +1,12 @@
+memcached (1.4.25-2ubuntu1.4) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Integer Overflow in items.c:item_free()
+    - debian/patches/CVE-2018-1000127.patch: Don't overflow item refcount
+      on get in memcached.c.
+    - CVE-2018-1000127
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 19 Mar 2018 10:15:02 -0400
+
 memcached (1.4.25-2ubuntu1.3) xenial-security; urgency=medium
 
   * SECURITY UPDATE: denial of service due to integer overflow
diff -Nru memcached-1.4.25/debian/patches/CVE-2018-1000127.patch memcached-1.4.25/debian/patches/CVE-2018-1000127.patch
--- memcached-1.4.25/debian/patches/CVE-2018-1000127.patch	1970-01-01 00:00:00.000000000 +0000
+++ memcached-1.4.25/debian/patches/CVE-2018-1000127.patch	2018-03-19 14:14:59.000000000 +0000
@@ -0,0 +1,49 @@
+backport of:
+
+From a8c4a82787b8b6c256d61bd5c42fb7f92d1bae00 Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Sun, 21 May 2017 21:49:54 -0700
+Subject: [PATCH] Don't overflow item refcount on get
+
+Counts as a miss if the refcount is too high. ASCII multigets are the only
+time refcounts can be held for so long.
+
+doing a dirty read of refcount. is aligned.
+
+trying to avoid adding an extra refcount branch for all calls of item_get due
+to performance. might be able to move it in there after logging refactoring
+simplifies some of the branches.
+---
+ memcached.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+Index: memcached-1.4.25/memcached.c
+===================================================================
+--- memcached-1.4.25.orig/memcached.c	2018-03-19 10:14:09.743752066 -0400
++++ memcached-1.4.25/memcached.c	2018-03-19 10:14:50.403821056 -0400
+@@ -2884,6 +2884,16 @@ static void process_stat(conn *c, token_
+     }
+ }
+ 
++#define IT_REFCOUNT_LIMIT 60000
++static inline item* limited_get(char *key, size_t nkey) {
++    item *it = item_get(key, nkey);
++    if (it && it->refcount > IT_REFCOUNT_LIMIT) {
++        item_remove(it);
++        it = NULL;
++    }
++    return it;
++}
++
+ /* ntokens is overwritten here... shrug.. */
+ static inline void process_get_command(conn *c, token_t *tokens, size_t ntokens, bool return_cas) {
+     char *key;
+@@ -2908,7 +2918,7 @@ static inline void process_get_command(c
+                 return;
+             }
+ 
+-            it = item_get(key, nkey);
++            it = limited_get(key, nkey);
+             if (settings.detail_enabled) {
+                 stats_prefix_record_get(key, nkey, NULL != it);
+             }
diff -Nru memcached-1.4.25/debian/patches/series memcached-1.4.25/debian/patches/series
--- memcached-1.4.25/debian/patches/series	2018-03-05 08:52:25.000000000 +0000
+++ memcached-1.4.25/debian/patches/series	2018-03-19 14:14:05.000000000 +0000
@@ -10,3 +10,4 @@
 CVE-2016-870x.patch
 CVE-2017-9951.patch
 disable-udp-by-default.patch
+CVE-2018-1000127.patch