Your message dated Sat, 11 Oct 2025 08:47:38 +0200
with message-id <[email protected]>
and subject line Re: Accepted redis 5:8.0.4-1 (source) into unstable
has caused the Debian Bug report #1117553,
regarding redis: CVE-2025-49844 CVE-2025-46817 CVE-2025-46818 CVE-2025-46819
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117553: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117553
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: redis
Version: 5:6.0.16-1+deb11u7
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for redis.
CVE-2025-49844[0]:
| Redis is an open source, in-memory database that persists on disk.
| Versions 8.2.1 and below allow an authenticated user to use a
| specially crafted Lua script to manipulate the garbage collector,
| trigger a use-after-free and potentially lead to remote code
| execution. The problem exists in all versions of Redis with Lua
| scripting. This issue is fixed in version 8.2.2. To workaround this
| issue without patching the redis-server executable is to prevent
| users from executing Lua scripts. This can be done using ACL to
| restrict EVAL and EVALSHA commands.
CVE-2025-46817[1]:
| Redis is an open source, in-memory database that persists on disk.
| Versions 8.2.1 and below allow an authenticated user to use a
| specially crafted Lua script to cause an integer overflow and
| potentially lead to remote code execution The problem exists in all
| versions of Redis with Lua scripting. This issue is fixed in version
| 8.2.2.
CVE-2025-46818[2]:
| Redis is an open source, in-memory database that persists on disk.
| Versions 8.2.1 and below allow an authenticated user to use a
| specially crafted Lua script to manipulate different LUA objects and
| potentially run their own code in the context of another user. The
| problem exists in all versions of Redis with LUA scripting. This
| issue is fixed in version 8.2.2. A workaround to mitigate the
| problem without patching the redis-server executable is to prevent
| users from executing LUA scripts. This can be done using ACL to
| block a script by restricting both the EVAL and FUNCTION command
| families.
CVE-2025-46819[3]:
| Redis is an open source, in-memory database that persists on disk.
| Versions 8.2.1 and below allow an authenticated user to use a
| specially crafted LUA script to read out-of-bound data or crash the
| server and subsequent denial of service. The problem exists in all
| versions of Redis with Lua scripting. This issue is fixed in version
| 8.2.2. To workaround this issue without patching the redis-server
| executable is to prevent users from executing Lua scripts. This can
| be done using ACL to block a script by restricting both the EVAL and
| FUNCTION command families.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-49844
https://www.cve.org/CVERecord?id=CVE-2025-49844
[1] https://security-tracker.debian.org/tracker/CVE-2025-46817
https://www.cve.org/CVERecord?id=CVE-2025-46817
[2] https://security-tracker.debian.org/tracker/CVE-2025-46818
https://www.cve.org/CVERecord?id=CVE-2025-46818
[3] https://security-tracker.debian.org/tracker/CVE-2025-46819
https://www.cve.org/CVERecord?id=CVE-2025-46819
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:8.0.4-1
On Sat, Oct 04, 2025 at 08:41:14PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Fri, 03 Oct 2025 10:37:53 -0700
> Source: redis
> Architecture: source
> Version: 5:8.0.4-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Chris Lamb <[email protected]>
> Changed-By: Chris Lamb <[email protected]>
> Changes:
> redis (5:8.0.4-1) unstable; urgency=medium
> .
> * New upstream release.
> - Drop two security patches that were applied upstream.
> * Refresh patches.
> Checksums-Sha1:
> 522c18e4feae4882e8ae70c67b4edb47069b95ee 2228 redis_8.0.4-1.dsc
> 26863246b68336dad6efac7b6fe084c16e74e809 3872218 redis_8.0.4.orig.tar.gz
> 9bb13766130c18462c530768a463ea085e831bff 31016 redis_8.0.4-1.debian.tar.xz
> 9a92c3cf2ce6c03676538a47ff76661b4860f97e 4585 redis_8.0.4-1_source.buildinfo
> Checksums-Sha256:
> 572354a6d2c20dec0217b9861c4f9f8e62d096639f75c04e30cddfa1ca50d5ec 2228
> redis_8.0.4-1.dsc
> aadd6b0aac9ea0178b3c9a1a78469f2085752f743d563feba639d2e2c69c7ad1 3872218
> redis_8.0.4.orig.tar.gz
> d40a1d4f9a86fe9bb993e25705ddd9ea96d931e0733c678d6a9fa4e2e09dbd2d 31016
> redis_8.0.4-1.debian.tar.xz
> e0612c913475e39a78373d2cec845d315efa53331bea02448740bf0f19be203b 4585
> redis_8.0.4-1_source.buildinfo
> Files:
> df26b6e0997d12428897f6dbc4eed35d 2228 database optional redis_8.0.4-1.dsc
> 84ca4495b843483659cb5bc92df473ec 3872218 database optional
> redis_8.0.4.orig.tar.gz
> ea827d098a112c3c6dc31cc41c8519ec 31016 database optional
> redis_8.0.4-1.debian.tar.xz
> 1fe6ff5e8da1422e1d08cecf3920bff4 4585 database optional
> redis_8.0.4-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmjheIUACgkQHpU+J9Qx
> Hlh7RBAAtCP8+NhO2lYfVfhqteVGIOaI3TgVmWfs5A0iDDd8ccLeMa0mrd+ey6Bk
> 3stGXyjx1OmCr8x5OwLYwNq3g7jCgEykIDSmbrb4Y/OTB8CQotQcqHdGQup45zjH
> 1aEQJjQ13Y5xZa/nJ+hqWms6C+L3sOS7kqy9u6odrXfkA08xkAbgbiwZn5oR/sdR
> pUfLfQuwdNq2lLGKe6phXzhHqVDyzM3MmuF7XJIMHq1DiHyAddn4bQ+e/feZHUkJ
> WpjZy+xuP9xl4h01Z5YLEcLHERWPRqeRTkmBe4/ylnTTNC2ybtfepq3jTt3lxl5D
> 0u/q+V+n24b+MOYqiA/A5U3+dDD0cO56eursfLxQrztxvSgFTyZWJMYBQn/gnsDK
> xjsO0fJ/aHX2o96Xs831d/ZTumaLPO2xLJEAr5oprTfXEqlE4SRZWFOhKT7RxCzD
> zAchTcJVf9ODXZOhuj6SpkvL15pEw4l0LSeeyZoYO/tyb6WIqCio2AU4GibpBZpH
> sqmw3IxwGQJuKbXGhgJwKMZTMFD4FtHBziC5x2tdLmV4/QwPRKiXPRPJdZl6mmmW
> JTKAdXm3ZuwfTF72cJrVr/Kw7ge/+yPQhPpPowDqUPwAqR6Te5gZOM5AhBjN7z0D
> pWSMpF8dsSsd/xcM+iGYrextOsh5Qj9HWL/FaqezrJCCR1rXgtI=
> =14Bh
> -----END PGP SIGNATURE-----
--- End Message ---
