Join the community today
Become a Member

Memcached Memcached Server 1.4.33 Released - security fix

Discussion in 'Other Centmin Mod Installed software' started by eva2000, Nov 3, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,402
    Local Time:
    8:30 PM
    Nginx 1.13.x
    MariaDB 5.5

    Memcached Server 1.4.33 Security Fix Release



    Centmin Mod LEMP stack by default install Memcached server so everyone who uses Centmin Mod needs to update to fix security vulnerabilities CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706

    Updated both Centmin Mod 123.08stable and 123.09beta01 builds to default to Memcached server 1.4.33 security fix release. Once you update your local server Centmin Mod branch code via centmin.sh menu option 23 outlined below. You will need to exit centmin.sh and re-run centmin.sh again and run centmin.sh menu option 10 to update Memcached server to 1.4.33.

    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:
    centmin.sh menu option 10 after 123.09beta01 or 123.08stable update via centmin.sh menu option 23 submenu option 2.

    Code (Text):
    --------------------------------------------------------
         Centmin Mod Menu 123.09beta01 centminmod.com   
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 10
    --------------------------------------------------------

    check Memcached server version installed
    Code (Text):
    memcached -V
    memcached 1.4.33
    


    ReleaseNotes1433 · memcached/memcached Wiki · GitHub

    Memcached 1.4.33
    Code (Text):
    echo stats | nc 127.0.0.1 11211
    STAT pid 15529
    STAT uptime 16
    STAT time 1472078773
    STAT version 1.4.33
    STAT libevent 2.0.22-stable
    STAT pointer_size 64
    STAT rusage_user 0.001503
    STAT rusage_system 0.014412
    STAT curr_connections 5
    STAT total_connections 6
    STAT rejected_connections 0
    STAT connection_structures 6
    STAT reserved_fds 20
    STAT cmd_get 0
    STAT cmd_set 0
    STAT cmd_flush 0
    STAT cmd_touch 0
    STAT get_hits 0
    STAT get_misses 0
    STAT get_expired 0
    STAT get_flushed 0
    STAT delete_misses 0
    STAT delete_hits 0
    STAT incr_misses 0
    STAT incr_hits 0
    STAT decr_misses 0
    STAT decr_hits 0
    STAT cas_misses 0
    STAT cas_hits 0
    STAT cas_badval 0
    STAT touch_hits 0
    STAT touch_misses 0
    STAT auth_cmds 0
    STAT auth_errors 0
    STAT bytes_read 6
    STAT bytes_written 0
    STAT limit_maxbytes 5368709120
    STAT accepting_conns 1
    STAT listen_disabled_num 0
    STAT time_in_listen_disabled_us 0
    STAT threads 4
    STAT conn_yields 0
    STAT hash_power_level 16
    STAT hash_bytes 524288
    STAT hash_is_expanding 0
    STAT slab_reassign_rescues 0
    STAT slab_reassign_chunk_rescues 0
    STAT slab_reassign_evictions_nomem 0
    STAT slab_reassign_inline_reclaim 0
    STAT slab_reassign_busy_items 0
    STAT slab_reassign_running 0
    STAT slabs_moved 0
    STAT lru_crawler_running 0
    STAT lru_crawler_starts 63
    STAT lru_maintainer_juggles 171
    STAT malloc_fails 0
    STAT log_worker_dropped 0
    STAT log_worker_written 0
    STAT log_watcher_skipped 0
    STAT log_watcher_sent 0
    STAT bytes 0
    STAT curr_items 0
    STAT total_items 0
    STAT slab_global_page_pool 0
    STAT expired_unfetched 0
    STAT evicted_unfetched 0
    STAT evictions 0
    STAT reclaimed 0
    STAT crawler_reclaimed 0
    STAT crawler_items_checked 0
    STAT lrutail_reflocked 0
    STAT moves_to_cold 0
    STAT moves_to_warm 0
    STAT moves_within_lru 0
    STAT direct_reclaims 0
    END
    


    CVE Details



    From Cisco Talos Blog: Vulnerability Spotlight: Remotely Exploitable Bugs in Memcached Identified and Patched

    In The Media



     
    Last edited: Nov 3, 2016
    • Like Like x 2
    • Informative Informative x 2
  2. Sunka

    Sunka Active Member

    931
    242
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +392
    Local Time:
    11:30 AM
    Nginx 1.13.3
    MariaDB 10.1.24
    Done.
    But we who do not use memcache at all (using redis), how to uninstall it?
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,402
    Local Time:
    8:30 PM
    Nginx 1.13.x
    MariaDB 5.5
    • Winner Winner x 1
  4. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,402
    Local Time:
    8:30 PM
    Nginx 1.13.x
    MariaDB 5.5
    From Multiple Critical Remotely Exploitable Flaws Discovered in Memcached Caching System
    Note, Centmin Mod installs CSF Firewall by default out of the box and Memcached port 11211 is not whitelisted anymore for public access to port 11211. You can verify this via this grep command on CSF config file /etc/csf/csf.conf and if command returns empty it means no mention of 11211 exists in the config file so memcached port 11211 is not publicly accessible anyway.
    Code (Text):
    grep '11211' /etc/csf/csf.conf
     
    • Like Like x 1
  5. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    6:30 PM
    latest
    latest
    Code:
    # memcached -V
    -bash: memcached: command not found
    I'm safe right?
     
  6. Matt

    Matt Moderator Staff Member

    697
    322
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +449
    Local Time:
    10:30 AM
    1.7.1
    MariaDB 10
    Anyone using Remi repo for their other servers has the updated version available :

    Code (Text):
    # yum --enablerepo=remi update memcached
    Loaded plugins: fastestmirror
    Setting up Update Process
    Loading mirror speeds from cached hostfile
    epel/metalink                                                                                                                                                                                                    |  24 kB     00:00    
     * base: fr.mirror.babylon.network
     * epel: fr.mirror.babylon.network
     * extras: fr.mirror.babylon.network
     * remi: fr.mirror.babylon.network
     * remi-safe: fr.mirror.babylon.network
     * updates: centos.quelquesmots.fr
    MariaDB100                                                                                                                                                                                                       | 2.9 kB     00:00    
    base                                                                                                                                                                                                             | 3.7 kB     00:00    
    elasticsearch-2.x                                                                                                                                                                                                | 2.9 kB     00:00    
    extras                                                                                                                                                                                                           | 3.4 kB     00:00    
    newrelic                                                                                                                                                                                                         |  951 B     00:00    
    remi                                                                                                                                                                                                             | 2.9 kB     00:00    
    remi/primary_db                                                                                                                                                                                                  | 1.6 MB     00:00    
    remi-safe                                                                                                                                                                                                        | 2.9 kB     00:00    
    updates                                                                                                                                                                                                          | 3.4 kB     00:00    
    updates/primary_db                                                                                                                                                                                               | 3.1 MB     00:00    
    Resolving Dependencies
    --> Running transaction check
    ---> Package memcached.x86_64 0:1.4.31-1.el6.remi will be updated
    ---> Package memcached.x86_64 0:1.4.33-1.el6.remi will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ========================================================================================================================================================================================================================================
     Package                                                 Arch                                                 Version                                                          Repository                                          Size
    ========================================================================================================================================================================================================================================
    Updating:
     memcached                                               x86_64                                               1.4.33-1.el6.remi                                                remi                                               107 k
    
    Transaction Summary
    ========================================================================================================================================================================================================================================
    Upgrade       1 Package(s)
    
    Total download size: 107 k
    Is this ok [y/N]: y
    Downloading Packages:
    memcached-1.4.33-1.el6.remi.x86_64.rpm                                                                                                                                                                           | 107 kB     00:00    
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Updating   : memcached-1.4.33-1.el6.remi.x86_64                                                                                                                                                                                   1/2 
      Cleanup    : memcached-1.4.31-1.el6.remi.x86_64                                                                                                                                                                                   2/2 
      Verifying  : memcached-1.4.33-1.el6.remi.x86_64                                                                                                                                                                                   1/2 
      Verifying  : memcached-1.4.31-1.el6.remi.x86_64                                                                                                                                                                                   2/2 
    
    Updated:
      memcached.x86_64 0:1.4.33-1.el6.remi                                                                                                                                                                                                  
    
    Complete!
    
     
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,402
    Local Time:
    8:30 PM
    Nginx 1.13.x
    MariaDB 5.5
    looks like memcached wasn't installed correctly ? if you ran centmin.sh menu option 10, it will install it again.

    yeah remi repo version has update too. Centmin Mod doesn't use Remi repo for memcached as it has other customisations/optimisations in Memcached not available in yum repo version including special setup for OpenVZ VPSes for more sane memory usage.

    also 123.09beta01 has other intel processor specific optimisations that are optional if you set in persistent config file GENERAL_DEVTOOLSETGCC='y' https://community.centminmod.com/th...ble-to-enable-devtoolset-3-gcc-4-9-in-….9020/
     
  8. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    6:30 PM
    latest
    latest
    My custom config includes

    Code (Text):
    MEMCACHED_DISABLED=y
    MEMCACHED_INSTALL=n
    PHP_MEMCACHE='n'
    PHP_MEMCACHED='n'
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,402
    Local Time:
    8:30 PM
    Nginx 1.13.x
    MariaDB 5.5
    that's why.. no memcached server installed when initial install of centmin mod
     
  10. Derek

    Derek New Member

    28
    9
    3
    Aug 5, 2016
    Ratings:
    +16
    Local Time:
    5:30 AM
    Done. I'm kind of surprised we don't need to restart nginx.
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,402
    Local Time:
    8:30 PM
    Nginx 1.13.x
    MariaDB 5.5
    centmin.sh menu option 10 restarts php-fpm with memcached php extension and memcached server updates. Memcached you wouldn't need nginx restart unless you are have manually setup memcached at nginx vhost level in your site's nginx vhost.
     
  12. deltahf

    deltahf Active Member

    216
    104
    43
    Jun 8, 2014
    Ratings:
    +161
    Local Time:
    5:30 AM
    Thanks for the update! Upgrade complete.
    I actually had the same issue. memcached -V did not work for me, even though memcached is running fine on my server.

    I had to run /usr/local/bin/memcached -V to get the version number.
     
  13. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    6:30 PM
    latest
    latest
    Code (Text):
    # /usr/local/bin/memcached -V
    -bash: /usr/local/bin/memcached: No such file or directory
    


    I have no use for memcache that's why I disabled it in /etc/centminmod/custom_config.inc
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,402
    Local Time:
    8:30 PM
    Nginx 1.13.x
    MariaDB 5.5
    strange you should be able to what you get get for command output for
    Code (Text):
    which memcached
    echo $PATH
    

    example
    Code (Text):
    which memcached
    /usr/local/bin/memcached
    

    Code (Text):
    echo $PATH
    /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/root/bin
    
     
  15. deltahf

    deltahf Active Member

    216
    104
    43
    Jun 8, 2014
    Ratings:
    +161
    Local Time:
    5:30 AM
    Here's my results:
    Code (Text):
    $ which memcached
    /usr/bin/which: no memcached in (/usr/lib64/ccache:/usr/lib64/ccache:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/root/bin:)
    
    $ echo $PATH
    /usr/lib64/ccache:/usr/lib64/ccache:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/root/bin:
    
     
  16. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,907
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,402
    Local Time:
    8:30 PM
    Nginx 1.13.x
    MariaDB 5.5
    in /root/.bashrc there's an export PATH line that you need to manually correct. Backup /root/.bashrc first and then change it to
    Code (Text):
    export PATH="$PATH:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"

    then log out of ssh session and backup to very which memcached command
     
    • Useful Useful x 1
  17. deltahf

    deltahf Active Member

    216
    104
    43
    Jun 8, 2014
    Ratings:
    +161
    Local Time:
    5:30 AM
    Thanks!