Hi, Le 02/03/2018 à 12:39, Hanno Böck a écrit : > Package: memcached > Version: 1.4.33-1 > > Memcached is currently involved in some massive ddos attacks, see e.g.: > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ > > The UDP protocol of memcached can be abused for very effective DDoS > amplification attacks and should therefore be considered dangerous. > Upstream memcached has reacted to this by disabling UDP by default: > https://github.com/memcached/memcached/wiki/ReleaseNotes156 > > In Debian memcached by default only listens to 127.0.0.1, but enables > UDP. While the localhost-only protects default settings, it's still > only a minor change away from creating an effective DDoS tool for a > protocol that is hardly in use today. I recommend that you backport > the upstream change and disable UDP by default. >
The version 1.5.6 will be uploaded in the archive in a few days. I'll try to propose a backport patch at least for versions in stretch and jessie (with upstream review, if possible). -- Guillaume Delacour
signature.asc
Description: OpenPGP digital signature
