Source: redis X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for redis. CVE-2024-31227[0]: | Redis is an open source, in-memory database that persists on disk. | An authenticated with sufficient privileges may create a malformed | ACL selector which, when accessed, triggers a server panic and | subsequent denial of service. The problem exists in Redis 7 prior to | versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no | known workarounds for this vulnerability. https://github.com/redis/redis/security/advisories/GHSA-38p4-26x2-vqhh https://github.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298a (7.2.6) CVE-2024-31228[1]: | Redis is an open source, in-memory database that persists on disk. | Authenticated users can trigger a denial-of-service by using | specially crafted, long string match patterns on supported commands | such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND | LIST` and ACL definitions. Matching of extremely long patterns may | result in unbounded recursion, leading to stack overflow and process | crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, | and 7.4.1. Users are advised to upgrade. There are no known | workarounds for this vulnerability. https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976 https://github.com/redis/redis/commit/c8649f8e852d1dc388b5446e003bb0eefa33d61f (7.2.6) CVE-2024-31449[2]: | Redis is an open source, in-memory database that persists on disk. | An authenticated user may use a specially crafted Lua script to | trigger a stack buffer overflow in the bit library, which may | potentially lead to remote code execution. The problem exists in all | versions of Redis with Lua scripting. This problem has been fixed in | Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to | upgrade. There are no known workarounds for this vulnerability. https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5 https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 (7.2.6) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31227 https://www.cve.org/CVERecord?id=CVE-2024-31227 [1] https://security-tracker.debian.org/tracker/CVE-2024-31228 https://www.cve.org/CVERecord?id=CVE-2024-31228 [2] https://security-tracker.debian.org/tracker/CVE-2024-31449 https://www.cve.org/CVERecord?id=CVE-2024-31449 Please adjust the affected versions in the BTS as needed.
