Hi Moritz, > For future updates please include the git commit IDs to debian/patches
Sure. I've added commit IDs to the files in debian/patches and uploaded redis_3.2.6-3+deb9u1_amd64.changes with those — and no other! — changes. > E.g. compared to the fix from the upstream 3.2 branch, > 0012-Security-update-Lua-struct-package-for-security.patch misses > a few changes, but they seem like unrelated refactoring. Indeed; I needed to drop the removal of the lua_State argument as that would have made it FTBFS. > Did you have a chance to test this? I should be able to test this on a few > live Redis servers, but that would take a few days, so it would be helpful > to know which tests you've done so far. I've tested using the upstream testsuite, the linked PoC, and a few random/manual tests of my own using "redis-cli" > Also, the Lua code copies are missing in the data/embedded-code-copies > file in the Security Tracker. Added in: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e0c6313b9728dc81f833eae29ac9e5124b4c6eb5 > I'm wondering we can fix Redis for buster to use the system copy > of Lua? Good idea. Filed as #901669. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
