Description of problem: By default memcached listens on all interfaces. It is recommended in documentation (manual page for memcached) to listen only on internal or firewalled interfaces. We got some vulnerability reports when using memcached on Fedora and keeping it at default settings. You can consider to limit binding only to localhost interfaces. Version-Release number of selected component (if applicable): memcached-1.4.17-3.fc21.x86_64 How reproducible: always Steps to Reproduce: 1. yum install memcached 2. service memcached start 3. netstat -utanp | grep memcache Actual results: tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 6815/memcached tcp6 0 0 :::11211 :::* LISTEN 6815/memcached udp 0 0 0.0.0.0:11211 0.0.0.0:* 6815/memcached udp6 0 0 :::11211 :::* 6815/memcached Expected results: tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 6845/memcached tcp6 0 0 ::1:11211 :::* LISTEN 6845/memcached udp 0 0 127.0.0.1:11211 0.0.0.0:* 6845/memcached udp6 0 0 ::1:11211 :::* 6845/memcached Additional info: It is possible to limit interfaces to localhost using: OPTIONS="-l localhost" in /etc/sysconfig/memcached. Note, it should be used "localhost", NOT "127.0.0.1". When using "localhost" it will listen also on ::1 (if specified in /etc/hosts/).
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Still valid for memcached-1.4.17-4.fc23.x86_64.
The default configuration of memcached now uses -l 127.0.0.1,::1 to bind to the loopback interface. It would be good to mention this in the Fedora 25 release notes.
This is still a problem in EPEL/CentOS/Red Hat. Can I open a new bug or change this one? Is it possible to fix this in EPEL? According to latest attacks from memcached, this should be fixed on all systems. It's hard to fight with similar problems for network administrators, which has no direct access to servers. :-(
For memcached in RHEL7, please see bug #1550066.