Your message dated Thu, 26 Aug 2021 11:20:54 +0000
with message-id <[email protected]>
and subject line Bug#892922: fixed in memcached 1.6.10+dfsg-2
has caused the Debian Bug report #892922,
regarding memcached.service is less secure by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
892922: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892922
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: memcached
User: [email protected]
Usertags: origin-ubuntu ubuntu-patch bionic
Tags: patch
Forwarded: https://github.com/memcached/memcached/issues/359

Downstream bug:
 https://bugs.launchpad.net/ubuntu/+source/memcached/+bug/1755460

This affects git master on alioth (currently 0fd2dc1), but not anything
you've uploaded yet.

Upstream version 1.5.6 removed some systemd sandboxing options from
memcached.service as RHEL's systemd currently doesn't support it. Since
AFAIK Debian's systemd does support these options, we should not regress
this sandboxing.

In Ubuntu I've fixed this as follows, which also includes a double check
in debian/rules in case upstream adds further options using this pattern
in the future.

diff --git a/debian/patches/restore-systemd-sandboxing 
b/debian/patches/restore-systemd-sandboxing
new file mode 100644
index 0000000..584e774
--- /dev/null
+++ b/debian/patches/restore-systemd-sandboxing
@@ -0,0 +1,61 @@
+Author: Robie Basak <[email protected]>
+Description: Restore systemd sandboxing
+ Upstream regressed systemd sandboxing for everyone by default because RHEL
+ cannot support it. Put it back again to avoid this functional regression.
+Bug: https://github.com/memcached/memcached/issues/359
+Bug-Ubuntu: https://bugs.launchpad.net/memcached/+bug/1755460
+Forwarded: not-needed
+Last-Update: 2018-03-13
+
+--- a/scripts/memcached.service
++++ b/scripts/memcached.service
+@@ -42,21 +42,16 @@
+ # of this unit. Protects against vulnerabilities such as CVE-2016-8655
+ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+ 
+-
+-# Some security features are not in the older versions of systemd used by
+-# e.g. RHEL7/CentOS 7. The below settings are automatically edited at package
+-# build time to uncomment them if the target platform supports them.
+-
+ # Attempts to create memory mappings that are writable and executable at
+ # the same time, or to change existing memory mappings to become executable
+ # are prohibited.
+-##safer##MemoryDenyWriteExecute=true
++MemoryDenyWriteExecute=true
+ 
+ # Explicit module loading will be denied. This allows to turn off module
+ # load and unload operations on modular kernels. It is recommended to turn
+ # this on for most services that do not need special file systems or extra
+ # kernel modules to work.
+-##safer##ProtectKernelModules=true
++ProtectKernelModules=true
+ 
+ # Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
+ # /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
+@@ -64,21 +59,21 @@
+ # kernel variables should only be written at boot-time, with the sysctl.d(5)
+ # mechanism. Almost no services need to write to these at runtime; it is hence
+ # recommended to turn this on for most services.
+-##safer##ProtectKernelTunables=true
++ProtectKernelTunables=true
+ 
+ # The Linux Control Groups (cgroups(7)) hierarchies accessible through
+ # /sys/fs/cgroup will be made read-only to all processes of the unit.
+ # Except for container managers no services should require write access
+ # to the control groups hierarchies; it is hence recommended to turn this
+ # on for most services
+-##safer##ProtectControlGroups=true
++ProtectControlGroups=true
+ 
+ # Any attempts to enable realtime scheduling in a process of the unit are
+ # refused.
+-##safer##RestrictRealtime=true
++RestrictRealtime=true
+ 
+ # Takes away the ability to create or manage any kind of namespace
+-##safer##RestrictNamespaces=true
++RestrictNamespaces=true
+ 
+ PIDFile=/var/run/memcached/memcached.pid
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 46c68ba..bb9c45b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@
 fix-distribution.patch
 always_enable_alignment.patch
 disable_watcher_test.patch
+restore-systemd-sandboxing
diff --git a/debian/rules b/debian/rules
index ccd01ec..9fc8d04 100755
--- a/debian/rules
+++ b/debian/rules
@@ -26,6 +26,8 @@ override_dh_auto_install:
                $(CURDIR)/debian/memcached.init
        install -m 755 $(CURDIR)/scripts/memcached.service \
                $(CURDIR)/debian/memcached.service
+       # Check for LP: #1755460
+       if grep -i '##safer##' $(CURDIR)/debian/memcached.service >/dev/null 
2>&1; then echo "ERROR: debian/patches/restore-systemd-sandboxing is 
incomplete; please see LP: #1755460" >&2; exit 1; fi
        install -m 755 $(CURDIR)/scripts/damemtop $(SCRIPTS)
        install -m 644 $(CURDIR)/scripts/damemtop.yaml $(SCRIPTS)
        install -m 644 $(CURDIR)/scripts/README.damemtop $(SCRIPTS)
-- 
cgit v0.10.2

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message ---
Source: memcached
Source-Version: 1.6.10+dfsg-2
Done: Chris Lamb <[email protected]>

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 26 Aug 2021 12:05:23 +0100
Source: memcached
Built-For-Profiles: nocheck
Architecture: source
Version: 1.6.10+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 892922
Changes:
 memcached (1.6.10+dfsg-2) unstable; urgency=medium
 .
   * Restore systemd sandboxing as the Debian version of systemd supports these
     features. Thanks to Robie Basak for the bug and patch. (Closes: #892922)
Checksums-Sha1:
 334ad84dcc012e4bb229cf1c6f1ff3ef81af186d 2022 memcached_1.6.10+dfsg-2.dsc
 c6ec4cc3a749e2dbe0589ab79431d564c8e098c8 16068 
memcached_1.6.10+dfsg-2.debian.tar.xz
 d19b3391e736cd8951b0be71f5d771b1fa7c493f 6457 
memcached_1.6.10+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 fb3c6d7ae6aab28ef93502654c5245f4db9699e4f11dac01c92e45073cae27b2 2022 
memcached_1.6.10+dfsg-2.dsc
 018385b87a556ce026df1217f3ec5ac9f7e82db0b1803254fbb62bfac6c6d104 16068 
memcached_1.6.10+dfsg-2.debian.tar.xz
 72dcc73a252547a169a8792b7e1b6dc7bc1efd9cd70f462706310ff63f22f48b 6457 
memcached_1.6.10+dfsg-2_amd64.buildinfo
Files:
 aea6d86bbb1efa91f72d961d00a13b5a 2022 web optional memcached_1.6.10+dfsg-2.dsc
 4146e2cddea24d49ca27c93ae75c24da 16068 web optional 
memcached_1.6.10+dfsg-2.debian.tar.xz
 6be7109cb46f5ea37597e93fd640f7a5 6457 web optional 
memcached_1.6.10+dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmEndgYACgkQHpU+J9Qx
Hlh7fBAAqi/YPj0+ynxWvNF5DCuIFMB80eJE5YIGiFW2qiODzH3uzYgscfhUnf2N
VM4OIztmPIxv9AIpQIxAaF0nRPWxPQpUTkDl1x52VC0/3sc0Lg8WbXpHjoVA3ZH+
0kzk5xl/lzPqlj/aTxTxQTOucCP9hSn3x4G9U1kf8RgVUiMe1yamiLCRYl8gblZz
fCWsoMeC+gYohIHq7ozLVTPkaFBXGmJcWFxK7d3L0AqV3K3g9Y3FJsefB9YZNi/X
Z9rmZDaDHW+fvsWTsDPLK0GDAzkVjbRvExDE9hQoWC5mcrvJArP4IBFmLGcXEDnb
1+gZjDkxruodsJRjc9ksnXSftS6AjU10ObAggexb4WEEbcu66EC/JIlBsh+v6QoB
Fr4Bd3iSd63RQHm5TM9PLmldtKTK9sAahQE8XrdtQdOirTbQSSpiUIuu8FM/Zoxo
p8pMLkPicl3SYCF1SNqhLOSTZKRN0RjRLok/f3NZqOE/m6xxH8bz7At8jJXTKM+R
MVCRJ2LIOVtK+rX2Bw72j9OHQ0AVvG1rYNvX4GLc6u9qbka8Q2paBahaB1Ro09hc
Hf/9bouycts89lq4ewVwvY0/6vqVw0+HXO9rVQMNi4GsViMcXonWsWARNYt7ZHgn
JFVCJsOfzvHlmUWn69rqX2sLJI0840AnmoqnnwvZ33n+RYmC9z0=
=nyYi
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to