libmemcached 1.1.4 to be packaged with critical fix

[tommey]

Frequently asked questions

• I have read Frequently Asked Questions
• I have looked at the list of the existing issues (including closed issues) and searched if my issue has been already reported
• I have tried to resolve the issue myself and will describe what I did in clear and consise manner

Describe the bug
Not long ago we have decided to go with this repository and the ppa to build our system on.
It looked like a safe bet as you are packaging these things for ages.
Thank you for your work, it really helps in general!

Last week we have faced the following issue in production: php-memcached-dev/php-memcached#531, we are using memcached for session storage with persistent connection for automatic failover handling, therefore the random value returns have gave back session data of different users.

In the world of GDPR this called for the legal team to take steps, report the data leak and so on.

The issue is actually with libmemcached, of which the newest version in deb.sury.org is 1.1.3 (released last February), while the mentioned issue was fixed in 1.1.4 (https://github.com/awesomized/libmemcached/releases/tag/1.1.4), released last March.

Please package and release libmemcached 1.1.4, so this issue gets fixed and others relying on this repository are not prone to an issue that has serious consequences.

To Reproduce
Have Ubuntu Jammy with deb.sury.org configured, php8.1-fpm, php8.1-memcached installed which depends on libmemcached, for which the latest available version is 1.1.3 currently, which is prone to the server timeout triggered error.
Have a persistent connection setup with multiple servers, high traffic and get one memcached server to timeout, which triggers the random read behaviour in libmemcached 1.1.3.

Your understanding of what is happening
Libmemcached 1.1.3 misbehaves, serving random content for keys, when a memcached server times out.

What steps did you take to resolve issue yourself before reporting it here
Researched the linked issue and release, rolled our own libmemcached 1.1.4 for a quick fix.

We have also implemented an integrity check in our session library, so it can detect if it read data for a different key.

Expected behavior
Packages with important bugfixes to be packaged in due time.

In official Ubuntu releases Jammy and before has 1.0.18, which doesn't have this issue present; while newer versions have 1.1.4 (packaged in last Sep-Oct), including the fix for it.

Distribution (please complete the following information):

• OS: Ubuntu 22.04
• Architecture: amd64
• Repository: Ubuntu PPA

Package(s) (please complete the following information):
libmemcached11:
Installed: 1.1.3-1+ubuntu22.04.1+deb.sury.org+1
Candidate: 1.1.3-1+ubuntu22.04.1+deb.sury.org+1
Version table:
*** 1.1.3-1+ubuntu22.04.1+deb.sury.org+1 100
100 /var/lib/dpkg/status

Additional context
None.

[oerdnj]

Thanks for a great issue!

Coincidentally, I already had it packaged, but for some reason I missed the upload. That has been rectified now and the new packages should be available shortly.

[tommey]

Thank you for the quick action, it is indeed available already. :-)