Your message dated Sat, 04 Mar 2023 11:19:23 +0000
with message-id <[email protected]>
and subject line Bug#1032279: fixed in redis 5:7.0.9-1
has caused the Debian Bug report #1032279,
regarding redis: CVE-2023-25155
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1032279: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032279
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: redis
Version: 5:7.0.8-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for redis.
CVE-2023-25155[0]:
| Redis is an in-memory database that persists on disk. Authenticated
| users issuing specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and
| `HRANDFIELD` commands can trigger an integer overflow, resulting in a
| runtime assertion and termination of the Redis server process. This
| problem affects all Redis versions. Patches were released in Redis
| version(s) 6.0.18, 6.2.11 and 7.0.9.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-25155
https://www.cve.org/CVERecord?id=CVE-2023-25155
[1] https://github.com/redis/redis/security/advisories/GHSA-x2r7-j9vw-3w83
[2]
https://github.com/redis/redis/commit/2a2a582e7cd99ba3b531336b8bd41df2b566e619
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:7.0.9-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 04 Mar 2023 11:01:59 +0000
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.9-1
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1032279
Changes:
redis (5:7.0.9-1) unstable; urgency=high
.
* New upstream security release:
- CVE-2023-25155: Authenticated users issuing specially crafted
`SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an
integer overflow, resulting in a runtime assertion and termination of
the
Redis server process. (Closes: #1032279)
- CVE-2022-36021: Authenticated users can use string matching commands
(like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a
denial-of-service attack on Redis, causing it to hang and consume 100%
CPU time.
* Refresh patches.
* Extend our USE_SYSTEM_JEMALLOC patch to support latest version.
Checksums-Sha1:
2ff5d24dfc8365cf05b6f040bf3044851ff4fece 2266 redis_7.0.9-1.dsc
64e520ec359754f61e57acea4ac1ebd28491e6c2 3015419 redis_7.0.9.orig.tar.gz
954efe368faa7c4baacc4d7eb0ba4e82bd571e58 28276 redis_7.0.9-1.debian.tar.xz
681587799d56bfe80256ef7ff6457b65df07f9d1 7430 redis_7.0.9-1_amd64.buildinfo
Checksums-Sha256:
2c6e787742ecd3cdccf07f2f6fc499a188e6b6aca119645da35d763019299a21 2266
redis_7.0.9-1.dsc
535c41ba0e17004fab2394e30567a3c6b8cd541bb2b76ff67d2f16e6178d2f4d 3015419
redis_7.0.9.orig.tar.gz
e5bb678d34ee2e30f4ebea8c4d1b8674194295c10e30e6615a65527b066eaea9 28276
redis_7.0.9-1.debian.tar.xz
bd03dd3652503197eae2cd01d08476558653ba8eb74e15d22f09a49eadc70f22 7430
redis_7.0.9-1_amd64.buildinfo
Files:
ef468abc7a067dd042d07987eddc17e8 2266 database optional redis_7.0.9-1.dsc
a467ff1b531856eef99c1f2198a324cd 3015419 database optional
redis_7.0.9.orig.tar.gz
ef865bb45d1567d9eedc90dcd9d9c2b7 28276 database optional
redis_7.0.9-1.debian.tar.xz
d360d853c5079b52aa6a31ff3d9dfaf6 7430 database optional
redis_7.0.9-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmQDJt0ACgkQHpU+J9Qx
HlgWNA/7BlglCG086kJr+vHtkmZ3xYWGHyB0BuG/EYAtm7cXg2OHaj7rDssLMg7N
kO/y9C51Aa1DVR077rkr4BKdfNK+8G9axaD+l5v1tl0umYHmjWYAnYOThjwJ4aBk
iyIJ4FR4jS+mZWBCSQlDAh7z2NLfpCehWq7wFZkwInOW+HmbpGGwUd1hsoh7I16i
ClkSaqWO533R9iWzCAYsj3uiglfOQYlQ/KYrADe5fyoQ3csBzQdKUo1zc81l82Ra
OorOazefACUxNOKKohn3Tg8wwXCc967O/+bUNw8SgTxcARC0DS4nNYm340uUh5Xi
w0obDpyT2FFpHLf0NBzyildhZZBuCXeq95/hmd0EeSPZms0kbGP1Y5g2TLRFQrne
CB+/WjSPumWlbnQY9M5aks/eO7VKyeAvTOF467CMFUeFFy5gwCgVnd/rLAhHNrUQ
agU1DH+w8OMNVPm7BAQwOxyc5Mv9G4D/wJATdqbUDewibRDQmiOgUcWkzNeOxJu6
ebVzOQ5zfaZ8v1Q8bZyZdQPTD6aVMPKSwqXJbygiuF9YB5fkx0tLi8TlTWFnHvVP
WI6IfxZ45PP89pjg8MFOusjEb9Di7Lmze3/a+nTcGFtu/yfe1uFBkXj6+aWp6svl
magDPK20CD2KX0wiFpthQhKy394gAZx8d3Nc4r3L2OeCGCUmgbg=
=j9vM
-----END PGP SIGNATURE-----
--- End Message ---
