[MIR] memcached

Bug #586634 reported by Clint Byrum
This bug affects 1 person
Affects Status Importance Assigned to Milestone
memcached (Ubuntu)
Fix Released

Bug Description

Binary package hint: memcached


package has been in universe a long time.


Memcached is nearly ubiquitous in distributed web application design today. Its design is simple and its record for stability is incredibly high. We've included having it in main as one of our improvements for support of "Web 2.0" stacks in Maverick:



* There are no open security issues at this time, and all previous issues have been resolved quickly upstream.
* The rate of security issues has been fairly low, given the amount of exposure memcached has had, this is a good measure of the code quality.
* While in the past there was no way to protect memcached other than firewall, they have recently added optional SASL authentication to allow it to be run on a public network safely.

Quality assurance:

 * bugs
   * There are no open important debian or ubuntu bugs.

* test suite does not currently run, bug opened:
   * https://bugs.launchpad.net/ubuntu/+source/memcached/+bug/586632

UI standards:



All dependencies are in main:

Depends: libc6 (>= 2.4), libevent-1.4-2 (>= 1.4.13-stable), perl, lsb-base (>= 3.2-13)

Standards compliance:

Package appears to be in full compliance with required standards.


This is a very simple package and will not require complex maintenance.

Background information:


Related branches

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Also note that there is an open request to sync this package with debian unstable, which is the only version with the optional SASL authentication.


Revision history for this message
Alexander Sack (asac) wrote :

seems to be directly exposed to network; feels like a good thing for kees to review.

Given that it previously was not protected other than through firewall, we should check that the package default configuration is safe now, imho; but Kees' call.

Changed in memcached (Ubuntu):
assignee: nobody → Kees Cook (kees)
Revision history for this message
Kees Cook (kees) wrote :

Since Debian 383660 is fixed, I'm less concerned about the firewall issues, but it is a network daemon, so it needs to be checked out a bit.

This daemon runs as "nobody", which isn't actually considered safe. The idea is that "nobody" should have no ownerships or access to anything. For example, running multiple daemons as "nobody" rather defeats the purpose. Before this is approved, I would like to see memcached running as a separate system user that is created/removed in the maintainer scripts. Debian 391351 almost did this, but it went from root to nobody. An improvement, for sure, but I'd like to see it done fully correct before it is in main.

Nothing else immediately jumps out at me, though. It seems to be reasonably defensive about incoming data. It's had problems in the past, but as seen, they're fixed quickly, easy to test, etc.

Changed in memcached (Ubuntu):
status: New → Incomplete
assignee: Kees Cook (kees) → nobody
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

I'm preparing a patch now to have memcached run as its own user.

Changed in memcached (Ubuntu):
status: Incomplete → In Progress
assignee: nobody → Clint Byrum (clint-fewbar)
Changed in memcached (Ubuntu):
status: In Progress → Confirmed
assignee: Clint Byrum (clint-fewbar) → nobody
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Ok, I created this bug:


Which has memcached running as the user/group 'memcache'.

Changed in memcached (Ubuntu):
milestone: none → maverick-alpha-2
Revision history for this message
Kees Cook (kees) wrote :

This looks good. Thanks! +1 for main.

Changed in memcached (Ubuntu):
status: Confirmed → In Progress
Changed in memcached (Ubuntu):
status: In Progress → Fix Released
importance: Undecided → Wishlist
Revision history for this message
Matthias Klose (doko) wrote :

now promoted

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.