Hi, I'm sorry i haven't find a sponsor to upload the security fix for CVE-2017-9951 yet. There is another fix that need to be uploaded to security: CVE-2018-1000115: $ dpkg --list memcached Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=============================================-===========================-===========================-=============================================================================================== ii memcached 1.4.33-1 amd64 high-performance memory object caching system $ sudo netstat -ltunp | grep memcached tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 31885/memcached tcp6 0 0 :::11211 :::* LISTEN 31885/memcached udp 0 0 0.0.0.0:11211 0.0.0.0:* 31885/memcached udp6 0 0 :::11211 :::* 31885/memcached Versus: $ dpkg --list memcached Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=============================================-===========================-===========================-=============================================================================================== ii memcached 1.4.33-1+deb9u1 amd64 high-performance memory object caching system $ sudo netstat -ltunp | grep memcached tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 478/memcached tcp6 0 0 :::11211 :::* LISTEN 478/memcached Please find attached the following debdiff. -- Guillaume Delacour
diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog
--- memcached-1.4.33/debian/changelog 2016-11-03 01:50:27.000000000 +0100
+++ memcached-1.4.33/debian/changelog 2018-03-08 13:46:07.000000000 +0100
@@ -1,3 +1,15 @@
+memcached (1.4.33-1+deb9u1) stretch; urgency=high
+
+ * Fix CVE-2017-9951 by checking the integer length of commands that adds or
+ replaces key/value pair
+ * Fix CVE-2018-1000115
+ + debian/patches/10_CVE-2018-1000115.patch disable listening on UDP port by
+ default (from Ubuntu)
+ + debian/NEWS add explanation and document how to re-enable UDP if
+ necessary.
+
+ -- Guillaume Delacour <gui@iroqwa.org> Thu, 08 Mar 2018 13:46:07 +0100
+
memcached (1.4.33-1) unstable; urgency=medium
* New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706
diff -Nru memcached-1.4.33/debian/NEWS memcached-1.4.33/debian/NEWS
--- memcached-1.4.33/debian/NEWS 2016-07-02 10:24:46.000000000 +0200
+++ memcached-1.4.33/debian/NEWS 2018-03-08 13:46:07.000000000 +0100
@@ -1,3 +1,11 @@
+memcached (1.4.33-1+deb9u1) stretch; urgency=high
+
+ * memcached is now configured to disable its UDP port by default, to
+ prevent its use as a DDoS amplifier. To re-enable UDP service, add
+ '-U 11211' to /etc/memcached.conf and restart the memcached service.
+
+ -- Steve Beattie <sbeattie@ubuntu.com> Fri, 02 Mar 2018 12:52:44 -0800
+
memcached (1.4.20-1) unstable; urgency=medium
Starting with this release, a system user "memcache" will be created.
diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch
--- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 1970-01-01 01:00:00.000000000 +0100
+++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 2018-03-06 21:44:06.000000000 +0100
@@ -0,0 +1,36 @@
+From: dormando <dormando@rydia.net>
+Date: Tue, 4 Jul 2017 00:32:39 -0700
+Subject: [PATCH] sanity check (CVE-2017-9951)
+Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167
+
+---
+ items.c | 2 ++
+ memcached.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/items.c b/items.c
+index 637e5e745..83a2ea37d 100644
+--- a/items.c
++++ b/items.c
+@@ -368,6 +368,8 @@ void item_free(item *it) {
+ bool item_size_ok(const size_t nkey, const int flags, const int nbytes) {
+ char prefix[40];
+ uint8_t nsuffix;
++ if (nbytes < 2)
++ return false;
+
+ size_t ntotal = item_make_header(nkey + 1, flags, nbytes,
+ prefix, &nsuffix);
+diff --git a/memcached.c b/memcached.c
+index 0f0335795..a89df965d 100644
+--- a/memcached.c
++++ b/memcached.c
+@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) {
+
+ case conn_swallow:
+ /* we are reading sbytes and throwing them away */
+- if (c->sbytes == 0) {
++ if (c->sbytes <= 0) {
+ conn_set_state(c, conn_new_cmd);
+ break;
+ }
diff -Nru memcached-1.4.33/debian/patches/10_CVE-2018-1000115.patch memcached-1.4.33/debian/patches/10_CVE-2018-1000115.patch
--- memcached-1.4.33/debian/patches/10_CVE-2018-1000115.patch 1970-01-01 01:00:00.000000000 +0100
+++ memcached-1.4.33/debian/patches/10_CVE-2018-1000115.patch 2018-03-08 13:46:07.000000000 +0100
@@ -0,0 +1,66 @@
+From dbb7a8af90054bf4ef51f5814ef7ceb17d83d974 Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Tue, 27 Feb 2018 10:50:45 -0800
+Subject: [PATCH] disable UDP port by default
+Origin: upstream, https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974.patch
+
+As reported, UDP amplification attacks have started to use insecure
+internet-exposed memcached instances. UDP used to be a lot more popular as a
+transport for memcached many years ago, but I'm not aware of many recent
+users.
+
+Ten years ago, the TCP connection overhead from many clients was relatively
+high (dozens or hundreds per client server), but these days many clients are
+batched, or user fewer processes, or simply anre't worried about it.
+
+While changing the default to listen on localhost only would also help, the
+true culprit is UDP. There are many more use cases for using memcached over
+the network than there are for using the UDP protocol.
+---
+ memcached.c | 6 ++----
+ t/issue_67.t | 4 ++--
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+Index: b/memcached.c
+===================================================================
+--- a/memcached.c
++++ b/memcached.c
+@@ -205,7 +205,7 @@ static void settings_init(void) {
+ settings.use_cas = true;
+ settings.access = 0700;
+ settings.port = 11211;
+- settings.udpport = 11211;
++ settings.udpport = 0;
+ /* By default this string should be NULL for getaddrinfo() */
+ settings.inter = NULL;
+ settings.maxbytes = 64 * 1024 * 1024; /* default is 64MB */
+@@ -6204,9 +6204,7 @@ int main (int argc, char **argv) {
+ }
+ }
+
+- if (tcp_specified && !udp_specified) {
+- settings.udpport = settings.port;
+- } else if (udp_specified && !tcp_specified) {
++ if (udp_specified && settings.udpport != 0 && !tcp_specified) {
+ settings.port = settings.udpport;
+ }
+
+Index: b/t/issue_67.t
+===================================================================
+--- a/t/issue_67.t
++++ b/t/issue_67.t
+@@ -73,12 +73,12 @@ sub when {
+
+ # Disabling the defaults since it conflicts with a running instance.
+ # when('no arguments', '', 11211, 11211);
+-when('specifying tcp port', '-p 11212', 11212, 11212);
++when('specifying tcp port', '-p 11212', 11212, -1);
+ when('specifying udp port', '-U 11222', 11222, 11222);
+ when('specifying tcp ephemeral port', '-p -1', 0, 0);
+ when('specifying udp ephemeral port', '-U -1', 0, 0);
+ when('tcp port disabled', '-p 0', -1, -1);
+-when('udp port disabled', '-U 0', -1, -1);
++when('udp port disabled', '-U 0', 11211, -1);
+ when('specifying tcp and udp ports', '-p 11232 -U 11233', 11232, 11233);
+ when('specifying tcp and disabling udp', '-p 11242 -U 0', 11242, -1);
+ when('specifying udp and disabling tcp', '-p -1 -U 11252', 0, 11252);
diff -Nru memcached-1.4.33/debian/patches/series memcached-1.4.33/debian/patches/series
--- memcached-1.4.33/debian/patches/series 2016-08-21 18:48:58.000000000 +0200
+++ memcached-1.4.33/debian/patches/series 2018-03-08 13:45:38.000000000 +0100
@@ -1,3 +1,5 @@
01_init_script_additions.patch
04_add_init_retry.patch
07_disable_tests.patch
+09_CVE-2017-9951.patch
+10_CVE-2018-1000115.patch
Attachment:
signature.asc
Description: Digital signature