Your message dated Wed, 12 Jul 2023 09:20:45 +0000 with message-id <e1qjw1d-005z1g...@fasolo.debian.org> and subject line Bug#1040879: fixed in redis 5:7.0.12-1 has caused the Debian Bug report #1040879, regarding redis: CVE-2023-36824: Heap overflow in COMMAND GETKEYS and ACL evaluation to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1040879: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040879 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: redis Version: 5:7.0.11-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for redis. CVE-2023-36824[0]: | Redis is an in-memory database that persists on disk. In Redit 7.0 | prior to 7.0.12, extracting key names from a command and a list of | arguments may, in some cases, trigger a heap overflow and result in | reading random heap memory, heap corruption and potentially remote | code execution. Several scenarios that may lead to authenticated | users executing a specially crafted `COMMAND GETKEYS` or `COMMAND | GETKEYSANDFLAGS`and authenticated users who were set with ACL rules | that match key names, executing a specially crafted command that | refers to a variadic list of key names. The vulnerability is patched | in Redis 7.0.12. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-36824 https://www.cve.org/CVERecord?id=CVE-2023-36824 [1] https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: redis Source-Version: 5:7.0.12-1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of redis, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1040...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated redis package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 12 Jul 2023 10:07:09 +0100 Source: redis Built-For-Profiles: nocheck Architecture: source Version: 5:7.0.12-1 Distribution: unstable Urgency: high Maintainer: Chris Lamb <la...@debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 1040879 Changes: redis (5:7.0.12-1) unstable; urgency=high . * New upstream security release: . - CVE-2022-24834: A specially-crafted Lua script executing in Redis could have triggered a heap overflow in the cjson and cmsgpack libraries and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support and affects only authenticated/authorised users. . - CVE-2023-36824: Extracting key names from a command and a list of arguments may, in some cases, have triggered a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. (Specifically using COMMAND GETKEYS* and validation of key names in ACL rules). (Closes: #1040879) . For more information, please see: . <https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES> Checksums-Sha1: cbdc088ee6756cbd2a3ad0f733e8585b2729ea8f 2273 redis_7.0.12-1.dsc 8501fb1a782fd3050ef914763964ef123228a794 3023189 redis_7.0.12.orig.tar.gz 4a808c73c1c7f20d29e5d1ae80e844d04d4683cf 28592 redis_7.0.12-1.debian.tar.xz 216db95f9609f82497b019a88dae15d057a92d40 7474 redis_7.0.12-1_amd64.buildinfo Checksums-Sha256: e011831d24088b9d946cbe0e9422663adbf52197d51293fb00b55f01d8a073f9 2273 redis_7.0.12-1.dsc 13d4689454e29e7b9f1161b544e6d08b0ddd27d057859fde7b1916869b3bf701 3023189 redis_7.0.12.orig.tar.gz dd8db40f47f60e78514166de827f1e6802c7eaa181f4da17f2eeac743f4bc8b9 28592 redis_7.0.12-1.debian.tar.xz 990f2694dc3788fb7d1671e2b2598f85fdc5cf443df2ac49bfbe520e7e7c9e42 7474 redis_7.0.12-1_amd64.buildinfo Files: c66d1c9beac34f026b96491132c25fd7 2273 database optional redis_7.0.12-1.dsc 4a51b64a7d2ec7b71aef4c972f116e0c 3023189 database optional redis_7.0.12.orig.tar.gz ae25676f4760b2f2b67150f8211b18a4 28592 database optional redis_7.0.12-1.debian.tar.xz 14e133e60374683238be9db7e877b0c8 7474 database optional redis_7.0.12-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmSubhoACgkQHpU+J9Qx HlgcaQ//Yc3UbmB+ZDkkk3p0TZfV8TIjxeN5uJEKa/K5jTOrL8MmTBE7wvJQWtnm 2uwK8c0lWvNBglko2UVKBMycajfBYNYXitMrHy5WnpM30Hlf1Eu1iscsn/j+mrGW UN/uRPBkTW8zZFVUl1w0yk6BZduUiymf2RS8e9lFmQcXBrpavj8BayfS9FP9n2+o 8bVSG0d0r1SIOw7ECTm7KxThwmILpRT1ZA+EUJlHZH3xNgW8GqW39eFMLfTZUL3J qusIxfhUWwFGgbXHGvFpq9P0oTGdTpC66DFdGfX8zMcH4MfQks1lwAUIvLIxzKh3 aXADd5DSgfZMeMiSJLBnM2AFnl/tcgSa/13KS+iTtHYl+etNulcjHvOTy9opsWoF lXpVTcw62tCUlOnU++u4PUDygC80p1SftAeEp5ltKjgMQdmM1PR13+FFRuMkg/h8 GRqtXQYtCwRKE9zrhjX2+5TD1nmRYGkQ1l551gDGLAdVNyItc4ZoTofmeITBk5p1 +3UxNhJBi4CxrcFSDL7A7Y0rihpL7ylzcxlKvdmksq26dIrBMDQTDk3ef9Y63CLm G0J+dE3dBzRYKKflVmNotmTvkwg6+XLiihbYGLYb6D+A5dGnAojWgyO1K3+V/iN5 E5JHMvWIOBQ6cpeBl959aHBqa9c+L4NDOpSjOMFn5lnu9JB+eRg= =S9h9 -----END PGP SIGNATURE-----
--- End Message ---
