summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2018-06-11 13:00:50 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2018-06-11 13:07:04 +0000
commitdcdf3ad355958a452c9942c010966d9316245cf2 (patch)
treed986260e6bac83abb96af5f0119084338616e710
parent96018bf2841ac59b632f6d84ad6247b5b825dc3a (diff)
main/memcached: security fix (CVE-2018-1000115)
Fixes #8833
Diffstat
-rw-r--r--main/memcached/APKBUILD15
-rw-r--r--main/memcached/CVE-2018-1000115.patch66
2 files changed, 78 insertions, 3 deletions
diff --git a/main/memcached/APKBUILD b/main/memcached/APKBUILD
index c60c10281da..6f3a5bcfe5c 100644
--- a/main/memcached/APKBUILD
+++ b/main/memcached/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=memcached
pkgver=1.4.33
-pkgrel=1
+pkgrel=2
pkgdesc="Distributed memory object caching system"
url="http://memcached.org"
arch="all"
@@ -15,13 +15,21 @@ subpackages="$pkgname-dev $pkgname-doc"
source="http://www.memcached.org/files/memcached-$pkgver.tar.gz
$pkgname.confd
$pkgname.initd
- CVE-2017-9951.patch"
+ CVE-2017-9951.patch
+ CVE-2018-1000115.patch
+ "
_builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 1.4.33-r2:
+# - CVE-2018-1000115
# 1.4.33-r1:
# - CVE-2017-9951
+# 1.4.33-r0:
+# - CVE-2016-8704
+# - CVE-2016-8705
+# - CVE-2016-8706
prepare() {
local i
@@ -63,4 +71,5 @@ faa5d3b1026262db00340469abe4ba066b11f2558c85b6e8be1f4265444812c7 CVE-2017-9951.
sha512sums="00af5a2f46702fb8e606b1035cdaad125445d8eb701927a3ccccd7cd6c12e0811efb3ad917e3118043fd993b5c313f1aa0c4b2a471218e971a21fed7c896e136 memcached-1.4.33.tar.gz
31bd788433b8021ed332f86d291e7f03222ae234520e52ba673b581d5da2adf5656e8f73e8b985df73258dea9b2a1b8ef36195163fe47a92fda59825deedfed4 memcached.confd
9615769b14175a25b50c9871b48c0635b5397ebe45231b43ee29a603eceb7b16bfc5ac744017b89b19082209c09597b3038a03ed0d5d9b45c60454d5b2717a55 memcached.initd
-6ad923b7753011272f8d8389e1e14d6193a13777a5919e3e183eb81fa5b6e9555f19ce88d0c4af3affc0ea4dd4c824924f8d4aad1460037a3c1d22707d409ed0 CVE-2017-9951.patch"
+6ad923b7753011272f8d8389e1e14d6193a13777a5919e3e183eb81fa5b6e9555f19ce88d0c4af3affc0ea4dd4c824924f8d4aad1460037a3c1d22707d409ed0 CVE-2017-9951.patch
+7e7ba164ec19f2316908e4f7bdc5d97a002338896a3ba09d3189772617763e1021f6b4496816275788bb4cf22ff560d7cead454079f279f9505fbdf14aa0e9d5 CVE-2018-1000115.patch"
diff --git a/main/memcached/CVE-2018-1000115.patch b/main/memcached/CVE-2018-1000115.patch
new file mode 100644
index 00000000000..5c3da35bbef
--- /dev/null
+++ b/main/memcached/CVE-2018-1000115.patch
@@ -0,0 +1,66 @@
+From dbb7a8af90054bf4ef51f5814ef7ceb17d83d974 Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Tue, 27 Feb 2018 10:50:45 -0800
+Subject: [PATCH] disable UDP port by default
+Origin: upstream, https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974.patch
+
+As reported, UDP amplification attacks have started to use insecure
+internet-exposed memcached instances. UDP used to be a lot more popular as a
+transport for memcached many years ago, but I'm not aware of many recent
+users.
+
+Ten years ago, the TCP connection overhead from many clients was relatively
+high (dozens or hundreds per client server), but these days many clients are
+batched, or user fewer processes, or simply anre't worried about it.
+
+While changing the default to listen on localhost only would also help, the
+true culprit is UDP. There are many more use cases for using memcached over
+the network than there are for using the UDP protocol.
+---
+ memcached.c | 6 ++----
+ t/issue_67.t | 4 ++--
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+Index: b/memcached.c
+===================================================================
+--- a/memcached.c
++++ b/memcached.c
+@@ -205,7 +205,7 @@ static void settings_init(void) {
+ settings.use_cas = true;
+ settings.access = 0700;
+ settings.port = 11211;
+- settings.udpport = 11211;
++ settings.udpport = 0;
+ /* By default this string should be NULL for getaddrinfo() */
+ settings.inter = NULL;
+ settings.maxbytes = 64 * 1024 * 1024; /* default is 64MB */
+@@ -6204,9 +6204,7 @@ int main (int argc, char **argv) {
+ }
+ }
+
+- if (tcp_specified && !udp_specified) {
+- settings.udpport = settings.port;
+- } else if (udp_specified && !tcp_specified) {
++ if (udp_specified && settings.udpport != 0 && !tcp_specified) {
+ settings.port = settings.udpport;
+ }
+
+Index: b/t/issue_67.t
+===================================================================
+--- a/t/issue_67.t
++++ b/t/issue_67.t
+@@ -73,12 +73,12 @@ sub when {
+
+ # Disabling the defaults since it conflicts with a running instance.
+ # when('no arguments', '', 11211, 11211);
+-when('specifying tcp port', '-p 11212', 11212, 11212);
++when('specifying tcp port', '-p 11212', 11212, -1);
+ when('specifying udp port', '-U 11222', 11222, 11222);
+ when('specifying tcp ephemeral port', '-p -1', 0, 0);
+ when('specifying udp ephemeral port', '-U -1', 0, 0);
+ when('tcp port disabled', '-p 0', -1, -1);
+-when('udp port disabled', '-U 0', -1, -1);
++when('udp port disabled', '-U 0', 11211, -1);
+ when('specifying tcp and udp ports', '-p 11232 -U 11233', 11232, 11233);
+ when('specifying tcp and disabling udp', '-p 11242 -U 0', 11242, -1);
+ when('specifying udp and disabling tcp', '-p -1 -U 11252', 0, 11252);
generated by cgit v1.2.3 (git 2.41.0) at 2024-04-19 23:51:53 +0000