Since Debian 383660 is fixed, I'm less concerned about the firewall
issues, but it is a network daemon, so it needs to be checked out a bit.
This daemon runs as "nobody", which isn't actually considered safe. The
idea is that "nobody" should have no ownerships or access to anything.
For example, running multiple daemons as "nobody" rather defeats the
purpose. Before this is approved, I would like to see memcached running
as a separate system user that is created/removed in the maintainer
scripts. Debian 391351 almost did this, but it went from root to
nobody. An improvement, for sure, but I'd like to see it done fully
correct before it is in main.
Nothing else immediately jumps out at me, though. It seems to be
reasonably defensive about incoming data. It's had problems in the
past, but as seen, they're fixed quickly, easy to test, etc.
** Changed in: memcached (Ubuntu)
Status: New => Incomplete
** Changed in: memcached (Ubuntu)
Assignee: Kees Cook (kees) => (unassigned)
--
[MIR] memcached
https://bugs.launchpad.net/bugs/586634
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
