group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1752831] Re: memcached should disable UDP by default

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1752831@xxxxxxxxxxxxxxxxxx>
Date: Mon, 05 Mar 2018 15:04:47 -0000
Reply-to: Bug 1752831 <1752831@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package memcached - 1.4.33-1ubuntu3.2

---------------
memcached (1.4.33-1ubuntu3.2) artful-security; urgency=medium

  * SECURITY UPDATE: denial of service due to integer overflow
    - debian/patches/CVE-2017-9951.patch: check for integer overflow on
      key requests
    - CVE-2017-9951
  * SECURITY UPDATE: disable listening on UDP port by default due to
    use in DDoS amplification attacks
    - debian/patches/disable-udp-by-default.patch: disable UDP port by
      default. (LP: #1752831)
    - debian/NEWS: add explanation and document how to re-enable UDP if
      necessary.
    - CVE-2018-1000115
  * debian/patches/fix-compiler-warning.patch: fix compilation warning
    with gcc-7 that causes FTBFS.
  * debian/rules: disable tests on armhf, to prevent the build hanging.

 -- Steve Beattie <sbeattie@xxxxxxxxxx>  Mon, 05 Mar 2018 01:29:48 -0800

** Changed in: memcached (Ubuntu Artful)
       Status: Triaged => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9951

** Changed in: memcached (Ubuntu Xenial)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1752831

Title:
  memcached should disable UDP by default

Status in memcached package in Ubuntu:
  Fix Released
Status in memcached source package in Trusty:
  Fix Released
Status in memcached source package in Xenial:
  Fix Released
Status in memcached source package in Artful:
  Fix Released

Bug description:
  Memcached is currently involved in some massive ddos attacks, see e.g.:
  https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

  The UDP protocol of memcached can be abused for very effective DDoS amplification attacks and should therefore be considered dangerous.
  Upstream memcached has reacted to this by disabling UDP by default:
  https://github.com/memcached/memcached/wiki/ReleaseNotes156

  In Ubuntu memcached by default only listens to 127.0.0.1, but enables
  UDP. While the localhost-only protects default settings, it's still
  only a minor change away from creating an effective DDoS tool for a
  protocol that is hardly in use today. I recommend that Ubuntu
  backports the upstream change and disables UDP by default.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/memcached/+bug/1752831/+subscriptions