Your message dated Sat, 12 Jul 2025 18:34:10 +0000
with message-id <e1uaf34-00ag1y...@fasolo.debian.org>
and subject line Bug#1108975: fixed in redis 5:8.0.2-2
has caused the Debian Bug report #1108975,
regarding redis: CVE-2025-32023
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1108975: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108975
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: redis
Version: 5:8.0.0-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for redis.
CVE-2025-32023[0]:
| Redis is an open source, in-memory database that persists on disk.
| From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an
| authenticated user may use a specially crafted string to trigger a
| stack/heap out of bounds write on hyperloglog operations,
| potentially leading to remote code execution. The bug likely affects
| all Redis versions with hyperloglog operations implemented. This
| vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An
| additional workaround to mitigate the problem without patching the
| redis-server executable is to prevent users from executing
| hyperloglog operations. This can be done using ACL to restrict HLL
| commands.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-32023
https://www.cve.org/CVERecord?id=CVE-2025-32023
[1] https://github.com/redis/redis/security/advisories/GHSA-rp2m-q4j6-gr43
[2]
https://github.com/redis/redis/commit/50188747cbfe43528d2719399a2a3c9599169445
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:8.0.2-2
Done: Chris Lamb <la...@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1108...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 08 Jul 2025 14:02:33 -0700
Source: redis
Architecture: source
Version: 5:8.0.2-2
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <la...@debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Closes: 1108975 1108981
Changes:
redis (5:8.0.2-2) unstable; urgency=high
.
* CVE-2025-32023: An authenticated user may have used a specially-crafted
string to trigger a stack/heap out-of-bounds write during hyperloglog
operations, potentially leading to remote code execution. Installations
that used Redis' ACL system to restrict hyperloglog "HLL" commands are
unaffected by this issue. (Closes: #1108975)
* CVE-2025-48367: An unauthenticated connection could have caused repeated IP
protocol errors, leading to client starvation and ultimately become a
Denial of Service (DoS) attack. (Closes: #1108981)
Checksums-Sha1:
2fe36b937a374aabd2d319ed96cc56613a29a652 2228 redis_8.0.2-2.dsc
2a80573fb0296f31f4413e8c591361006cb31d4d 3860147 redis_8.0.2.orig.tar.gz
c5c4ac174c55ae7737b4c17ee8d254fae2df4c09 33004 redis_8.0.2-2.debian.tar.xz
4a8d32c0fee9d5d03607fe9d76e4c449d8af79e8 5853 redis_8.0.2-2_source.buildinfo
Checksums-Sha256:
63133ff1dfa27771e3f921b9f733dfdd51949034bd8189febb0434cfa65b7191 2228
redis_8.0.2-2.dsc
caf3c0069f06fc84c5153bd2a348b204c578de80490c73857bee01d9b5d7401f 3860147
redis_8.0.2.orig.tar.gz
6e16503474e4627b38fe11a3a78b9d6abb8eb9f01ed28f2708526b81b913cb96 33004
redis_8.0.2-2.debian.tar.xz
8a34ab4b24606a9cbeefb2629044eced105efb124abd1fae166afe29e282f105 5853
redis_8.0.2-2_source.buildinfo
Files:
6a2457425b31985a408c7e16b0348512 2228 database optional redis_8.0.2-2.dsc
fb9874e35f105ce3b0ac998ce8f5f0db 3860147 database optional
redis_8.0.2.orig.tar.gz
7c83313b1238c6ec584ffa0273bae98e 33004 database optional
redis_8.0.2-2.debian.tar.xz
c9fd84f83b52a95bd382f5a1f10929c7 5853 database optional
redis_8.0.2-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmhyphYACgkQHpU+J9Qx
HljhFxAAvdKA2qL+jDmMrksLWAlZfkr0C+yPTmefC1i2R/NezUaZEmwatWS677I1
aeGJu5V7SxjooR+MJFSDCBZFnrxF71sSzuISgheYBezHM8shj8lKyJdbjB/y76R4
MHPhpz5smzs4f5kEv+BCiUQY/gP2m+/kpTm+9rkgv7cmvlbaZ575pR/L7ZWvmqwh
3kIOnnQ/XJ1llOXq8B/Q559jeTrBHHLmDWKfmg6uhKLU8v1XGmtZgnhxrjbIjcvS
0qHSIGkXFdgZw/yUlpJsdbEsOGYY4rBw9gHvz6SoZRpQTQ4raFM8S3zrSHMblZxE
qIiwIWc3FNcPBMW3HdzrI9lnrNSJbTcTDG9rMD0SIucOffVF/v8LtkO8kb2JyJFt
eVWrfH/GQADVMdpP5huA5k5bg6SPUVzPNqXabVwZ1+Ob2C+gxxy26wPXQaFcN/rx
gku4o2pcWzOD3/CgsCpA0FXTg7reA/6jZOCZ1zXVOSsee7RApCrOjJV5pCeOLHAl
nDX5pfdgNwvHaMuj9U3yPbmcgkYBxdJi3s5x9hZjnjS4fpho01cdIzxmmIBUIEYn
UynyDvAbKQdfQUO6gRtkVLQ7VSsBDOe7HZHUNLsSZcfg4on5oErYF5feEKrfxvzG
EpO5+gqt8f7WGJ8t26HrA6f1mwo8yD9RvaQ3xP5fMih0HHtg5fs=
=F+Qe
-----END PGP SIGNATURE-----
pgpZ7JN9uJ1Tc.pgp
Description: PGP signature
--- End Message ---
