Bug 1594877

Summary: Fix CVE-2017-9951, multiple bugfixes, performance enhancements
Product: Red Hat Enterprise Linux 7 Reporter: James Boyle <unixi>
Component: memcachedAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: low Docs Contact:
Priority: low    
Version: 7.5CC: thozza
Target Milestone: rcKeywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-31 07:02:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1471970    

Description James Boyle 2018-06-25 15:25:36 UTC 
Multiple bug fixes and performance improvements are available in recent versions of memcached.  Memcached included with rhel-7-server-rpms is version 1.4.15 and the release notes indicate it has not been updated since November 2016:
* Mon Nov 07 2016 Miroslav Lichvar <mlichvar> - 0:1.4.15-10.el7_3.1

CVE-2017-9951 affects all versions prior to 1.4.39.

Recent versions also have better systemd integration and security improvements.

Here are a few items from the changelogs between 1.4.15 (version shipped in rhel-7-server-rpms) and 1.5.8 (released one month ago)

fix rare partial deadlock during hash table expansion
extstore: fix ref leak when using binary protocol with TOUCH,GAT,GATK
systemd instancing support & rpm build improvements
remove redundant counter/lock from hash table
quick fix for slab mover deadlock
fix null pointer ref in logger for bin update cmd
Drop sockets from obviously malicious command strings (HTTP/)
fix for CVE-2017-9951
fix LRU maintainer thread slowdown in edge case
fix rare long background thread pause in hash expansion
fix ordering issue in conn dispatch (prevents potential hangups)
fix refcount leak in LRU bump buf
Stop using atomics for item refcount management (performance)
Make the conn suffix list the same as item list (performance)
Do LRU-bumps while already holding item lock (performance)
Reduce add_iov() work for TCP connections (performance)
Fix cache_memlimit bug for > 4G values
metadump: ensure buffer is flushed to client before finishing
Number of small fixes/additions to new logging
add logging endpoint for LRU crawler
evicted_active counter for LRU maintainer
stop pushing NULL byte into watcher stream
Scale item hash locks more with more worker threads (minor performance)
Further increase systemd service hardening
Missing necessary header for atomic_inc_64_nv() used in logger.c (solaris)
Fix print format for idle timeout thread
Improve binary sasl security fixes
Fix clang compile error
Widen systemd caps to allow maxconns to increase
Add -X option to disable cachedump/metadump
Don't double free in lru_crawler on closed clients
Fix segfault if metadump client goes away

On several RHEL 7.5 systems running 1.4.15, I have noticed TCP CLOSE_WAIT conditions where memcached does not acknowledge and release the TCP socket back to the kernel.  I believe the bug fixes in the releases from 2017 to current would solve that problem.

Thank you!
--James
Comment 2 James Boyle 2018-07-23 21:16:18 UTC 
I didn't see that someone else made a related bug earlier: https://bugzilla.redhat.com/show_bug.cgi?id=1543405

Though, it doesn't explicitly call out CVE-2017-9951
Comment 3 Miroslav Lichvar 2018-07-31 07:02:52 UTC 
Ok, let's keep all requests for memcached rebase in one bug.

*** This bug has been marked as a duplicate of bug 1543405 ***