[Bug 1462747] Re: Please sync with 1.4.24 Debian sid package

Daniel Holbach daniel.holbach at ubuntu.com
Mon Jun 8 06:32:03 UTC 2015 

Can you please review which of our changes were already applied in
Debian? Syncing would effectively mean dropping all our changes. Ubuntu
currently has the following changes applied on top of Debian's 1.4.14:

  * SECURITY UPDATE: denial of service via large body length
    - debian/patches/CVE-2011-4971.patch: check length in memcached.c,
      added test to t/issue_192.t.
    - CVE-2011-4971
  * SECURITY UPDATE: denial of service when using -vv
    - debian/patches/CVE-2013-0179.patch: properly format key in items.c,
      memcached.c.
    - CVE-2013-0179
  * SECURITY UPDATE: SASL authentication bypass
    - debian/patches/CVE-2013-7239.patch: explicitly record sasl auth
      states in memcached.*, added test to t/binary-sasl.t.
    - CVE-2013-7239
  * debian/memcached.postinst: don't create home directory so we don't end
    up with /nonexistent. Thanks to Dustin Lundquist for patch.
    (LP: #1255328)
  * Revert unnecessary deltas added to patches compared to Debian.
  * Revert use of dh-autoreconf and patch configure manually to
    match configure.ac, as this package despises modern autotools.
  * debian/rules: Fix the previous fixes a little harder, so they work.
  * debian/rules: Shuffle things around so that dh_autoreconf is always
    run before dh_quilt_patch.  Fixes FTBFS with dpkg-buildpackage -B.
  * debian/control: added lsb-release, dh-autoreconf to build depends
  * debian/rules: run autoreconf
  * debian/patches/fix-distribution.patch: added patch to show
    distribution on version
  * Move dh_quilt_apply into configure step so that config.{sub,guess}
    patches get applied before running configure. (LP: #1218114)
  * Update config.{guess,sub} for Aarch64.
  * debian/tests: Add autopkgtest.
  * d/p/60_fix_racey_test.patch: Dropped, applied upstream.
  * d/p/start-memcached-fix-hash.patch: Change regex to make sure 
    inline comments can function per feedback from upstream. Passing
    "#" to arguments now requires escaping with \.
  * d/p/start-memcached-fix-hash.patch: Apply patch to allow passing
    # as a value for memcached options such as -D to use # as a prefix
    delimiter for stats collection. (LP: #1005821)
    - Run as 'memcache' user instead of nobody.
    - Depend on adduser for preinst/postrm.
    - Create user in postinst.
    - d/rules: run test suite on build.
    - d/patches/50_fix_racey_test.patch: Cherry picked patch from
      upstream bug tracker which endeavours to avoid the race condition.
      Thanks to Clint Byrum for this fix.
    - d/patches/50_add_init_retry.patch: Dropped - superceeded by Debian
      patch.


** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2011-4971

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0179

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-7239

** Changed in: memcached (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to memcached in Ubuntu.
https://bugs.launchpad.net/bugs/1462747

Title:
  Please sync with 1.4.24 Debian sid package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/memcached/+bug/1462747/+subscriptions

More information about the Ubuntu-server-bugs mailing list