#1133890 Memory leaks in apt-cacher-ng 3.7.5-1 on Debian Trixie

Package:
apt-cacher-ng
Source:
apt-cacher-ng
Description:
caching proxy server for software repositories
Submitter:
Sebastian Döring
Date:
2026-04-15 10:39:02 UTC
Severity:
normal
Tags:
#1133890#5
Date:
2026-04-15 10:30:43 UTC
From:
To:
We've recently upgraded our apt-cacher-ng from Debian Bullseye (acng
3.6.4-1) to Trixie and noticed unbounded memory leakage which resulted
in OOM (32 GB RAM) in ~36 hours (20260413_14h47m21s_apt-cacher-ng.png).
We've mitigated the issue by restarting the service in regular
intervals, but I wasn't happy with this workaround.

cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
NAME="Debian GNU/Linux"
VERSION_ID="13"
VERSION="13 (trixie)"
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.4
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

uname -a
Linux filehost01 6.12.74+deb13+1-amd64 #1 SMP PREEMPT_DYNAMIC Debian
6.12.74-2 (2026-03-08) x86_64 GNU/Linux

Since I'm not a C++ expert, I've decided to burn some tokens and tasked
Github Copilot CLI (via Claude Opus) to analyze the commits between
3.6.4 .. 3.7.5 + the repository code in general for potential leaks. I
will attach the four patches for potential issues that Copilot / Claude
Opus came up with. The tcpconnect.cc SSL leak seems to be the main
culprit (we use some apt sources on our hosts via
http://acnghost:3124/HTTPS///, which also executed apt-get update very
often). Also in 2019 (commit: 527c1dece5aa56c53f019872ace6e6ebbb74238a)
the comparison of the DNS cache (dns_exp_q.front()->second->m_expTime <=
now) seems to have been inverted accidentally.

After rebuilding from source with the attached patches applied, memory
usage is much reduced (20260414_10h02m37s_apt-cacher-ng-patched.png).
There might still be some very minor leakage (RSS went up from 20288 to
55540 over night), but it seems quite stable now at this value. It could
be worthwhile to dig deeper using valgrind and such, but I don't have
the setup for that right now.

*Disclosure:* The provided patches have been authored in their entirety
by machine learning and casually reviewed by me (the last time I did
anything with C++ is probably 10 years ago). I hope there's no double
free() now; the SSL BIO stuff goes over my head a bit. At the very
least, it hasn't produced a crash yet.
Since the AI/LLM sphere is a hot button topic in the community, feel
free to disregard the proposed patches and you could recognize this mail
as a mere a bug report.

Best regards,

Sebastian Döring

Senior System Administrator
Infrastructure Server and Service Operations

1&1 Telecommunication SE | Hinterm Hauptbahnhof 3 | 76137 Karlsruhe |
Deutschland
E-Mail: sebastian.doering@1und1.de | Web: www.1und1.de <
https://www.1und1.de >

Die gesetzlichen Pflichtangaben finden Sie unter
https://unternehmen.1und1.de/unternehmen/impressum/.

Member of United Internet

Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte
Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat
sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte
den Absender und vernichten Sie diese E-Mail. Anderen als dem
bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern,
weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden.

This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient of this e-mail, you are hereby
notified that saving, distribution or use of the content of this e-mail
in any way is prohibited. If you have received this e-mail in error,
please notify the sender and delete the e-mail.