Hi, I'm sorry i haven't find a sponsor to upload the security fix for CVE-2017-9951 yet. There is another fix that need to be uploaded to security: CVE-2018-1000115: $ dpkg --list memcached Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=============================================-===========================-===========================-=============================================================================================== ii memcached 1.4.33-1 amd64 high-performance memory object caching system $ sudo netstat -ltunp | grep memcached tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 31885/memcached tcp6 0 0 :::11211 :::* LISTEN 31885/memcached udp 0 0 0.0.0.0:11211 0.0.0.0:* 31885/memcached udp6 0 0 :::11211 :::* 31885/memcached Versus: $ dpkg --list memcached Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=============================================-===========================-===========================-=============================================================================================== ii memcached 1.4.33-1+deb9u1 amd64 high-performance memory object caching system $ sudo netstat -ltunp | grep memcached tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 478/memcached tcp6 0 0 :::11211 :::* LISTEN 478/memcached Please find attached the following debdiff. -- Guillaume Delacour
diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog --- memcached-1.4.33/debian/changelog 2016-11-03 01:50:27.000000000 +0100 +++ memcached-1.4.33/debian/changelog 2018-03-08 13:46:07.000000000 +0100 @@ -1,3 +1,15 @@ +memcached (1.4.33-1+deb9u1) stretch; urgency=high + + * Fix CVE-2017-9951 by checking the integer length of commands that adds or + replaces key/value pair + * Fix CVE-2018-1000115 + + debian/patches/10_CVE-2018-1000115.patch disable listening on UDP port by + default (from Ubuntu) + + debian/NEWS add explanation and document how to re-enable UDP if + necessary. + + -- Guillaume Delacour <gui@iroqwa.org> Thu, 08 Mar 2018 13:46:07 +0100 + memcached (1.4.33-1) unstable; urgency=medium * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 diff -Nru memcached-1.4.33/debian/NEWS memcached-1.4.33/debian/NEWS --- memcached-1.4.33/debian/NEWS 2016-07-02 10:24:46.000000000 +0200 +++ memcached-1.4.33/debian/NEWS 2018-03-08 13:46:07.000000000 +0100 @@ -1,3 +1,11 @@ +memcached (1.4.33-1+deb9u1) stretch; urgency=high + + * memcached is now configured to disable its UDP port by default, to + prevent its use as a DDoS amplifier. To re-enable UDP service, add + '-U 11211' to /etc/memcached.conf and restart the memcached service. + + -- Steve Beattie <sbeattie@ubuntu.com> Fri, 02 Mar 2018 12:52:44 -0800 + memcached (1.4.20-1) unstable; urgency=medium Starting with this release, a system user "memcache" will be created. diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch --- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 1970-01-01 01:00:00.000000000 +0100 +++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 2018-03-06 21:44:06.000000000 +0100 @@ -0,0 +1,36 @@ +From: dormando <dormando@rydia.net> +Date: Tue, 4 Jul 2017 00:32:39 -0700 +Subject: [PATCH] sanity check (CVE-2017-9951) +Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 + +--- + items.c | 2 ++ + memcached.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/items.c b/items.c +index 637e5e745..83a2ea37d 100644 +--- a/items.c ++++ b/items.c +@@ -368,6 +368,8 @@ void item_free(item *it) { + bool item_size_ok(const size_t nkey, const int flags, const int nbytes) { + char prefix[40]; + uint8_t nsuffix; ++ if (nbytes < 2) ++ return false; + + size_t ntotal = item_make_header(nkey + 1, flags, nbytes, + prefix, &nsuffix); +diff --git a/memcached.c b/memcached.c +index 0f0335795..a89df965d 100644 +--- a/memcached.c ++++ b/memcached.c +@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) { + + case conn_swallow: + /* we are reading sbytes and throwing them away */ +- if (c->sbytes == 0) { ++ if (c->sbytes <= 0) { + conn_set_state(c, conn_new_cmd); + break; + } diff -Nru memcached-1.4.33/debian/patches/10_CVE-2018-1000115.patch memcached-1.4.33/debian/patches/10_CVE-2018-1000115.patch --- memcached-1.4.33/debian/patches/10_CVE-2018-1000115.patch 1970-01-01 01:00:00.000000000 +0100 +++ memcached-1.4.33/debian/patches/10_CVE-2018-1000115.patch 2018-03-08 13:46:07.000000000 +0100 @@ -0,0 +1,66 @@ +From dbb7a8af90054bf4ef51f5814ef7ceb17d83d974 Mon Sep 17 00:00:00 2001 +From: dormando <dormando@rydia.net> +Date: Tue, 27 Feb 2018 10:50:45 -0800 +Subject: [PATCH] disable UDP port by default +Origin: upstream, https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974.patch + +As reported, UDP amplification attacks have started to use insecure +internet-exposed memcached instances. UDP used to be a lot more popular as a +transport for memcached many years ago, but I'm not aware of many recent +users. + +Ten years ago, the TCP connection overhead from many clients was relatively +high (dozens or hundreds per client server), but these days many clients are +batched, or user fewer processes, or simply anre't worried about it. + +While changing the default to listen on localhost only would also help, the +true culprit is UDP. There are many more use cases for using memcached over +the network than there are for using the UDP protocol. +--- + memcached.c | 6 ++---- + t/issue_67.t | 4 ++-- + 2 files changed, 4 insertions(+), 6 deletions(-) + +Index: b/memcached.c +=================================================================== +--- a/memcached.c ++++ b/memcached.c +@@ -205,7 +205,7 @@ static void settings_init(void) { + settings.use_cas = true; + settings.access = 0700; + settings.port = 11211; +- settings.udpport = 11211; ++ settings.udpport = 0; + /* By default this string should be NULL for getaddrinfo() */ + settings.inter = NULL; + settings.maxbytes = 64 * 1024 * 1024; /* default is 64MB */ +@@ -6204,9 +6204,7 @@ int main (int argc, char **argv) { + } + } + +- if (tcp_specified && !udp_specified) { +- settings.udpport = settings.port; +- } else if (udp_specified && !tcp_specified) { ++ if (udp_specified && settings.udpport != 0 && !tcp_specified) { + settings.port = settings.udpport; + } + +Index: b/t/issue_67.t +=================================================================== +--- a/t/issue_67.t ++++ b/t/issue_67.t +@@ -73,12 +73,12 @@ sub when { + + # Disabling the defaults since it conflicts with a running instance. + # when('no arguments', '', 11211, 11211); +-when('specifying tcp port', '-p 11212', 11212, 11212); ++when('specifying tcp port', '-p 11212', 11212, -1); + when('specifying udp port', '-U 11222', 11222, 11222); + when('specifying tcp ephemeral port', '-p -1', 0, 0); + when('specifying udp ephemeral port', '-U -1', 0, 0); + when('tcp port disabled', '-p 0', -1, -1); +-when('udp port disabled', '-U 0', -1, -1); ++when('udp port disabled', '-U 0', 11211, -1); + when('specifying tcp and udp ports', '-p 11232 -U 11233', 11232, 11233); + when('specifying tcp and disabling udp', '-p 11242 -U 0', 11242, -1); + when('specifying udp and disabling tcp', '-p -1 -U 11252', 0, 11252); diff -Nru memcached-1.4.33/debian/patches/series memcached-1.4.33/debian/patches/series --- memcached-1.4.33/debian/patches/series 2016-08-21 18:48:58.000000000 +0200 +++ memcached-1.4.33/debian/patches/series 2018-03-08 13:45:38.000000000 +0100 @@ -1,3 +1,5 @@ 01_init_script_additions.patch 04_add_init_retry.patch 07_disable_tests.patch +09_CVE-2017-9951.patch +10_CVE-2018-1000115.patch
Attachment:
signature.asc
Description: Digital signature