[Buildroot] [PATCH 1/2] memcached: bump to version 1.5.6

[Buildroot] [PATCH 1/2] memcached: bump to version 1.5.6

[Christopher McCrory]

From ReleaseNotes156

This is a bugfix release, but it primarily disables the UDP protocol by
default.

In the last few days reports of UDP amplification attacks utilizing
inesure memcached instances have surfaced. Attackers are able to set
large values into memcached, then send requests via spoofed UDP packets.
Memcached will then send a very large number of very large UDP packets
back in response.

Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
---
 package/memcached/memcached.hash | 7 +++----
 package/memcached/memcached.mk   | 2 +-
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/package/memcached/memcached.hash b/package/memcached/memcached.hash
index 204590d27c..8278933827 100644
--- a/package/memcached/memcached.hash
+++ b/package/memcached/memcached.hash
@@ -1,4 +1,3 @@
-# From http://www.memcached.org/files/memcached-1.5.0.tar.gz.sha1
-sha1 e12af93e63c05ab7e89398e4cfd0bfc7b7bff1c5  memcached-1.5.0.tar.gz
-# Calculated based on the hash above
-sha256 c001f812024bb461b5e4d7d0506daab63dff9614eea26f46536c3b7e1e601c32  memcached-1.5.0.tar.gz
+# From http://www.memcached.org/files/memcached-1.5.6.tar.gz.sha1
+sha1 ca35929e74b132c2495a6957cfdc80556337fb90  memcached-1.5.6.tar.gz
+sha256 9675ee859d7d81f7a950f190a6812720b26f08228d356044ec517d4d5af25f03  memcached-1.5.6.tar.gz
diff --git a/package/memcached/memcached.mk b/package/memcached/memcached.mk
index d0e3bc01d9..c15abc79bf 100644
--- a/package/memcached/memcached.mk
+++ b/package/memcached/memcached.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MEMCACHED_VERSION = 1.5.0
+MEMCACHED_VERSION = 1.5.6
 MEMCACHED_SITE = http://www.memcached.org/files
 MEMCACHED_DEPENDENCIES = libevent
 MEMCACHED_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
-- 
2.14.3

[Buildroot] [PATCH 2/2] apache: pass explicit sbindir

[Christopher McCrory]

The apache configure script help indicates that the sbindir is
PREFIX/sbin , but it actually uses PREFIX/bin.  Most people
probably expect httpd to be located in /usr/sbin/httpd

Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
---
 package/apache/apache.mk | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package/apache/apache.mk b/package/apache/apache.mk
index e1b1a209cb..4fd5896d59 100644
--- a/package/apache/apache.mk
+++ b/package/apache/apache.mk
@@ -28,7 +28,10 @@ else ifeq ($(BR2_PACKAGE_APACHE_MPM_WORKER),y)
 APACHE_MPM = worker
 endif
 
+# Explicitly pass sbindir, because apache configure script defines it
+# to PREFIX/bin, which doesn't make much sense
 APACHE_CONF_OPTS = \
+	--sbindir=/usr/sbin \
 	--sysconfdir=/etc/apache2 \
 	--with-apr=$(STAGING_DIR)/usr \
 	--with-apr-util=$(STAGING_DIR)/usr \
-- 
2.14.3

[Buildroot] [PATCH 2/2] apache: pass explicit sbindir

[Christopher McCrory]

Hello...

Thanks Thomas, I copied and pasted your recomendations



On Fri, Mar 2, 2018 at 10:07 AM, Christopher McCrory <chrismcc@gmail.com>
wrote:

> The apache configure script help indicates that the sbindir is
> PREFIX/sbin , but it actually uses PREFIX/bin.  Most people
> probably expect httpd to be located in /usr/sbin/httpd
>
> Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
>

<snip>
-- 
Christopher McCrory
To the optimist, the glass is half full.
To the pessimist, the glass is half empty.
To the engineer, the glass is twice as big as it needs to be.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20180302/57a88bc5/attachment.html>

[Buildroot] [PATCH 2/2] apache: pass explicit sbindir

[Arnout Vandecappelle]

?Hi Christopher,

?Sorry for the late reply...

On 02/03/2018 18:07, Christopher McCrory wrote:
> The apache configure script help indicates that the sbindir is
> PREFIX/sbin , but it actually uses PREFIX/bin.  Most people
> probably expect httpd to be located in /usr/sbin/httpd

?I disagree with this patch for 4 reasons:


- I don't think there is a real need. Upstream chooses to do it that way, why
would we differ?


- It is possible that someone is using apache and assumes it is installed in
/usr/bin.


- In fact, Buildroot does that, in the apache.service file. So at least that
file would need to be updated as well.


- If we want to change it, we should follow the upstream convention. Upstream
uses "layouts" to specify what goes where. There are layouts for Apache, GNU,
Fedora, Debian, RedHat, etc. So we should use a --enable-layout option instead
of hacking our own thing.


?With that in mind, I've marked the patch as Rejected in patchwork. If you do
think it is relevant, my second argument can be overridden, but then the patch
should be changed to fix the apache.service file and to use a --enable-layout
option instead.


?Regards,
?Arnout


>
> Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
> ---
>  package/apache/apache.mk | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/package/apache/apache.mk b/package/apache/apache.mk
> index e1b1a209cb..4fd5896d59 100644
> --- a/package/apache/apache.mk
> +++ b/package/apache/apache.mk
> @@ -28,7 +28,10 @@ else ifeq ($(BR2_PACKAGE_APACHE_MPM_WORKER),y)
>  APACHE_MPM = worker
>  endif
>  
> +# Explicitly pass sbindir, because apache configure script defines it
> +# to PREFIX/bin, which doesn't make much sense
>  APACHE_CONF_OPTS = \
> +	--sbindir=/usr/sbin \
>  	--sysconfdir=/etc/apache2 \
>  	--with-apr=$(STAGING_DIR)/usr \
>  	--with-apr-util=$(STAGING_DIR)/usr \

[Buildroot] [PATCH 1/2] memcached: bump to version 1.5.6

[Thomas Petazzoni]

Hello,

On Fri,  2 Mar 2018 10:07:55 -0800, Christopher McCrory wrote:
> From ReleaseNotes156
> 
> This is a bugfix release, but it primarily disables the UDP protocol by
> default.
> 
> In the last few days reports of UDP amplification attacks utilizing
> inesure memcached instances have surfaced. Attackers are able to set
> large values into memcached, then send requests via spoofed UDP packets.
> Memcached will then send a very large number of very large UDP packets
> back in response.
> 
> Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
> ---
>  package/memcached/memcached.hash | 7 +++----
>  package/memcached/memcached.mk   | 2 +-
>  2 files changed, 4 insertions(+), 5 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 1/2] memcached: bump to version 1.5.6

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

Hi,

 > On Fri,  2 Mar 2018 10:07:55 -0800, Christopher McCrory wrote:
 >> From ReleaseNotes156
 >> 
 >> This is a bugfix release, but it primarily disables the UDP protocol by
 >> default.
 >> 
 >> In the last few days reports of UDP amplification attacks utilizing
 >> inesure memcached instances have surfaced. Attackers are able to set
 >> large values into memcached, then send requests via spoofed UDP packets.
 >> Memcached will then send a very large number of very large UDP packets
 >> back in response.
 >> 
 >> Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
 >> ---
 >> package/memcached/memcached.hash | 7 +++----
 >> package/memcached/memcached.mk   | 2 +-
 >> 2 files changed, 4 insertions(+), 5 deletions(-)

Committed to 2018.02.x, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/2] memcached: bump to version 1.5.6

[Christopher McCrory]

On Fri, Mar 2, 2018 at 10:07 AM, Christopher McCrory <chrismcc@gmail.com>
wrote:

> From ReleaseNotes156
>
> This is a bugfix release, but it primarily disables the UDP protocol by
> default.
>
> In the last few days reports of UDP amplification attacks utilizing
> inesure memcached instances have surfaced. Attackers are able to set
> large values into memcached, then send requests via spoofed UDP packets.
> Memcached will then send a very large number of very large UDP packets
> back in response.
>
>

This has been all over the nanog and outages lists the past several days.
google ing memcached DDoS will provide a plethora of information.  I don't
use memcached so all I verified is that it compiled and ran

in a lxc container
before:

Welcome to Buildroot
buildroot login: root
# bash
[root at buildroot ~]$ /usr/bin/memcached -u nobody -d
[root at buildroot ~]$ netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address
State
tcp        0      0 0.0.0.0:11211           0.0.0.0:*
LISTEN
tcp        0      0 :::11211                :::*
LISTEN
udp        0      0 0.0.0.0:11211           0.0.0.0:*

udp        0      0 :::11211
:::*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path


after
Welcome to Buildroot
buildroot login: root
# bash
[root at buildroot ~]$ /usr/bin/memcached -u nobody -d
[root at buildroot ~]$ netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address
State
tcp        0      0 0.0.0.0:11211           0.0.0.0:*
LISTEN
tcp        0      0 :::11211                :::*
LISTEN
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path


-- 
Christopher McCrory
To the optimist, the glass is half full.
To the pessimist, the glass is half empty.
To the engineer, the glass is twice as big as it needs to be.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20180302/06ae209d/attachment.html>