A CVE was assigned for a configuration issue in memcached: http://www.openwall.com/lists/oss-security/2018/03/03/1 The UDP protocol is vulnerable to amplification attacks, and is also considered deprecated. Fortunately we have limited it to localhost in our configuration, so we're not especially vulnerable and probably don't need to push a stable update for this now, but our configuration should be updated again to disable the UDP protocol by default. The issue is fixed by default in 1.5.6 upstream.
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some recent committers.
CC: (none) => mageia, marja11, mrambo, shlomifAssignee: bugsquad => pkg-bugs
Assignee: pkg-bugs => mageia
I agree to you, by default we only use localhost, but this is easily changed whereas disable of UDP Port needs change of systemd config. I've updated systemd config to disable UDP-Port in 6 and cauldron. This change will take effect on the next memcached update to mageia 6.
The Mageia 6 package should also be updated to a newer version, due to this note: http://openwall.com/lists/oss-security/2018/03/08/1
Specifically at least 1.4.37, according to this note: http://openwall.com/lists/oss-security/2018/03/08/7
ok, that's a change. Never had those deadlocks, but if they exist, and we know it, I'll push an update later.
I'm not sure if I used the given testscript correctly, since even with our current release I was not able to get any buffer overflows or deadlocks. Nevertheless there is a new version on 6/updated_testing available: Suggested advisory: ======================== Updated memcached packages fix security vulnerabilities: Memcached enabled UDP by default, which could be exploited to denial of service via network flood (CVE-2018-1000115). By default this UPD is now closed. With this release some overflow and deadlock situations get fixed too. References: ======================== http://www.openwall.com/lists/oss-security/2018/03/03/1 http://openwall.com/lists/oss-security/2018/03/08/1 http://openwall.com/lists/oss-security/2018/03/08/7 Updated packages in core/updates_testing: ======================== memcached-1.5.6-1.mga6 Source RPMs: memcached-1.5.6-1.mga6.src.rpm
Assignee: mageia => qa-bugs
Version: Cauldron => 6
Advisory uploaded. Previous procedure at bug 12156 comment 8 but with UDP disabled this may now fail.
Keywords: (none) => advisory, has_procedure
Installed and tested without issues. System: Mageia 6, x86_64, Intel CPU. # uname -a Linux marte 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux # rpm -q memcached memcached-1.5.6-1.mga6 # systemctl start memcached@11211 # systemctl status memcached@11211 ● memcached@11211.service - Memcached NoSQL key+value store on port 11211 Loaded: loaded (/usr/lib/systemd/system/memcached@.service; disabled; vendor preset: enabled) Active: active (running) since Dom 2018-03-11 23:04:38 WET; 8min ago Process: 31107 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U 0 -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /run/memcached/%i.pid (code=exited, status=0/SUCCESS) Main PID: 31108 (memcached) CPU: 78ms CGroup: /system.slice/system-memcached.slice/memcached@11211.service └─31108 /usr/bin/memcached -d -l 127.0.0.1 -p 11211 -U 0 -m 64 -t 4 -c 1024 -P /run/memcached/11211.pid Mar 11 23:04:38 marte systemd[1]: Starting Memcached NoSQL key+value store on port 11211... Mar 11 23:04:38 marte systemd[1]: memcached@11211.service: PID file /run/memcached/11211.pid not readable (yet?) after start: No such file or directory Mar 11 23:04:38 marte systemd[1]: Started Memcached NoSQL key+value store on port 11211. # lsof -nP | grep memcached.*IPv4 memcached 31108 memcached 26u IPv4 2804753 0t0 TCP 127.0.0.1:11211 (LISTEN) memcached 31108 31109 memcached 26u IPv4 2804753 0t0 TCP 127.0.0.1:11211 (LISTEN) memcached 31108 31110 memcached 26u IPv4 2804753 0t0 TCP 127.0.0.1:11211 (LISTEN) memcached 31108 31111 memcached 26u IPv4 2804753 0t0 TCP 127.0.0.1:11211 (LISTEN) memcached 31108 31112 memcached 26u IPv4 2804753 0t0 TCP 127.0.0.1:11211 (LISTEN) memcached 31108 31113 memcached 26u IPv4 2804753 0t0 TCP 127.0.0.1:11211 (LISTEN) memcached 31108 31114 memcached 26u IPv4 2804753 0t0 TCP 127.0.0.1:11211 (LISTEN) memcached 31108 31115 memcached 26u IPv4 2804753 0t0 TCP 127.0.0.1:11211 (LISTEN) memcached 31108 31116 memcached 26u IPv4 2804753 0t0 TCP 127.0.0.1:11211 (LISTEN) memcached 31108 31117 memcached 26u IPv4 2804753 0t0 TCP 127.0.0.1:11211 (LISTEN) $ cat test.php #!/bin/php <?php $m = new Memcached(); $m->addServer('127.0.0.1', 11211); $m->set('test', 'my test data : SUCCESS'); echo $m->get('test') . "\n"; $ php test.php my test data : SUCCESS
CC: (none) => mageiaWhiteboard: (none) => MGA6-64-OK
Validating
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0165.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
(In reply to David Walser from comment #4) > Specifically at least 1.4.37, according to this note: > http://openwall.com/lists/oss-security/2018/03/08/7 There's a CVE for the fix in 1.4.37, CVE-2018-1000127, so we fixed that here too. Ubuntu has issued an advisory for that on March 19: https://usn.ubuntu.com/3601-1/