Fedora has issued an advisory today (November 22): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EGQ5CRXRSHTKFUB5MCASDOTTZT7YR6IR/ The issue was fixed upstream in 1.4.39. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
CC: (none) => luis.daniel.lucio, mageia, marja11, oe, olav, shlomif, tmbAssignee: bugsquad => pkg-bugs
Hi. Updated memcached version 1.4.39 for MGA5 and MGA6 pushed to updates_testing. New version for Cauldron, 1.5.3, pushed to core/release. Cheers, Stig
CC: (none) => smelror
Advisory: ======================== Updated memcached packages fix security vulnerability: The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read (CVE-2017-9951). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9951 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EGQ5CRXRSHTKFUB5MCASDOTTZT7YR6IR/ ======================== Updated packages in core/updates_testing: ======================== memcached-1.4.39-1.mga5 memcached-devel-1.4.39-1.mga5 memcached-1.4.39-1.mga6 memcached-devel-1.4.39-1.mga6 from SRPMS: memcached-1.4.39-1.mga5.src.rpm memcached-1.4.39-1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOAssignee: pkg-bugs => qa-bugs
MGA5-32 on Dell Latitude D600 No installation issues. Tried to follow test as per bug 12156, after installing php, but get $ php memcac.php PHP Fatal error: Class 'Memcached' not found in /home/tester5/Documenten/memcac.php on line 4 Apparently something still missing in this new setup, but that will have to wait until tomorrow.
CC: (none) => herman.viaene
Found out that I needed to install the package php-memcached. Once this in place, the test as mentioned above runs OK: $ php memcac.php my test data : SUCCESS
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Keywords: (none) => advisory
Trying M6/64 Installing from issued repos 'memcached-1.4.25-2.mga6.x86_64'. UPDATEd to: memcached-1.4.39-1.mga6' Using the quick test given in https://bugs.mageia.org/show_bug.cgi?id=12156#c8 which (comment 5) needs also 'php-memcached'. Problem: wrong output $ php memcachedtest.php [blank line, the final \n I suppose] $ For reference: $ cat memcachedtest.php #!/bin/php <?php $m = new Memcached(); $m->addServer('127.0.0.1', 11211); $m->set('test', 'my test data : SUCCESS'); echo $m->get('test') . "\n"; ?> I added the final '?>' line, but with or without it, the result was the same. Tried adding also memcached-devel-1.4.39-1.mga6.x86_64, which made no difference. Am I doing something silly? CCing Samuel [test author] in case he can advise.
CC: (none) => lewyssmith, stormi
Continuing M6/64 Downgraded memcached to PREupdate version 1.4.25-2, and got the same test non-result as above; so it is at least not due to the update.
@ Lewis: Copy of my test #!/bin/php <?php $m = new Memcached(); $m->addServer('127.0.0.1', 11211); $m->set('test', 'my test data : SUCCESS'); echo $m->get('test') . "\n";file that did OK: Did you check the package php-memcached?
(In reply to Herman Viaene from comment #8) > Did you check the package php-memcached? Yes: php-memcached-2.2.0-2.mga6 I copied the script you gave above (which looked exactly the same as what I had); still no joy (here after the update): memcached-1.4.39-1.mga6 $ ./memcachedtest.php $ Will ask around.
Installed and tested without issues. System: Mageia 5, x86_64, Intel CPU. $ php memcachetest.php my test data : SUCCESS $ $ cat memcachetest.php <?php $m = new Memcached(); $m->addServer('127.0.0.1', 11211); $m->set('test', 'my test data : SUCCESS'); echo $m->get('test') . "\n"; $ $ uname -a Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ $ rpm -qa | grep memcached | sort lib64memcached11-1.0.17-6.mga5 memcached-1.4.39-1.mga5 php-memcached-2.2.0-0.0.RC1.4.mga5
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OKCC: (none) => mageia
(In reply to Lewis Smith from comment #9) > $ ./memcachedtest.php > > $ This was not correct. It should have been (and was previously in c.6, and now): $ php memcachedtest.php $ @PC_LX: Thank you for confirming Mageia 5 x64.
In my comment I forgot to mention that the memcached must be installed and running. If memcached is not running then the test script memcachedtest.php will output nothing. I used the following commands to install, enable, start and check the status of the memcached service. # urpmi memcached # systemctl enable memcached@11211 # systemctl start memcached@11211 # systemctl status memcached@11211
Brilliant! That is all it was. It had not occured to me that a daemon was involved and might not be running; normally when daemons are installed, they are started. Testing M6x64 post update: memcached-1.4.39-1.mga6 # systemctl enable memcached@11211 Created symlink /etc/systemd/system/memcached.target.wants/memcached@11211.service → /usr/lib/systemd/system/memcached@.service. # systemctl start memcached@11211 # systemctl status memcached@11211 ● memcached@11211.service - Memcached NoSQL key+value store on port 11211 Loaded: loaded (/usr/lib/systemd/system/memcached@.service; enabled; vendor p Active: active (running) since Iau 2017-11-30 10:54:24 CET; 24s ago ... $ php memcachedtest.php my test data : SUCCESS So thanks to PC_LX, a Mageia 6 OK. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0441.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED