Your message dated Tue, 15 Jul 2025 21:00:14 +0200
with message-id <[email protected]>
and subject line Re: redis: CVE-2025-27151
has caused the Debian Bug report #1106822,
regarding redis: CVE-2025-27151
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1106822: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106822
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: redis
Version: 5:8.0.0-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 5:7.0.15-3
Control: found -1 5:7.0.15-1
Hi,
The following vulnerability was published for redis.
CVE-2025-27151[0]:
| Redis is an open source, in-memory database that persists on disk.
| In versions starting from 7.0.0 to before 8.0.2, a stack-based
| buffer overflow exists in redis-check-aof due to the use of memcpy
| with strlen(filepath) when copying a user-supplied file path into a
| fixed-size stack buffer. This allows an attacker to overflow the
| stack and potentially achieve code execution. This issue has been
| patched in version 8.0.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27151
https://www.cve.org/CVERecord?id=CVE-2025-27151
[1] https://github.com/redis/redis/security/advisories/GHSA-5453-q98w-cmvm
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:8.0.2-2
Hi
On Tue, Jul 15, 2025 at 05:27:38PM +0200, Paul Gevers wrote:
> Hi,
>
> On Fri, 30 May 2025 12:10:13 -0700 "Chris Lamb" <[email protected]> wrote:
> > This is fixed in Git by updating to the 8.0.2 point release. I will
> > upload once I get clarity on the status of 8.0.x in trixie.
>
> The upload of 8.0.2 already happened, but this bug isn't closed. I assume
> that's just an oversight?
>
> With this version, isn't CVE-2025-49112 also fixed?
Not the maintainer, but inerested to have CVE tracking correct. So it
looks the packaging repository has a tag for 5:8.0.2-1, but that
upload never entered the archive apparently, the next one 5:8.0.2-2
did enter, so let's close it with that version beeing the first in
unstable containing the fix.
Regards,
Salvatore
--- End Message ---
