Hi,

Le 02/03/2018 à 12:39, Hanno Böck a écrit :
> Package: memcached
> Version: 1.4.33-1
> 
> Memcached is currently involved in some massive ddos attacks, see e.g.:
> https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
> 
> The UDP protocol of memcached can be abused for very effective DDoS
> amplification attacks and should therefore be considered dangerous.
> Upstream memcached has reacted to this by disabling UDP by default:
> https://github.com/memcached/memcached/wiki/ReleaseNotes156
> 
> In Debian memcached by default only listens to 127.0.0.1, but enables
> UDP. While the localhost-only protects default settings, it's still
> only a minor change away from creating an effective DDoS tool for a
> protocol that is hardly in use today. I recommend that you backport
> the upstream change and disable UDP by default.
> 

The version 1.5.6 will be uploaded in the archive in a few days.
I'll try to propose a backport patch at least for versions in stretch
and jessie (with upstream review, if possible).

-- 
Guillaume Delacour

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to