Your message dated Wed, 09 Oct 2024 22:08:45 +0000
with message-id <e1syern-00cduj...@fasolo.debian.org>
and subject line Bug#1084805: fixed in redis 5:7.0.15-2
has caused the Debian Bug report #1084805,
regarding redis: CVE-2024-31227 CVE-2024-31228 CVE-2024-31449
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1084805: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084805
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: redis
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for redis.
CVE-2024-31227[0]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated with sufficient privileges may create a malformed
| ACL selector which, when accessed, triggers a server panic and
| subsequent denial of service. The problem exists in Redis 7 prior to
| versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.
https://github.com/redis/redis/security/advisories/GHSA-38p4-26x2-vqhh
https://github.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298a
(7.2.6)
CVE-2024-31228[1]:
| Redis is an open source, in-memory database that persists on disk.
| Authenticated users can trigger a denial-of-service by using
| specially crafted, long string match patterns on supported commands
| such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND
| LIST` and ACL definitions. Matching of extremely long patterns may
| result in unbounded recursion, leading to stack overflow and process
| crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6,
| and 7.4.1. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.
https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976
https://github.com/redis/redis/commit/c8649f8e852d1dc388b5446e003bb0eefa33d61f
(7.2.6)
CVE-2024-31449[2]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated user may use a specially crafted Lua script to
| trigger a stack buffer overflow in the bit library, which may
| potentially lead to remote code execution. The problem exists in all
| versions of Redis with Lua scripting. This problem has been fixed in
| Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.
https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5
https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71
(7.2.6)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-31227
https://www.cve.org/CVERecord?id=CVE-2024-31227
[1] https://security-tracker.debian.org/tracker/CVE-2024-31228
https://www.cve.org/CVERecord?id=CVE-2024-31228
[2] https://security-tracker.debian.org/tracker/CVE-2024-31449
https://www.cve.org/CVERecord?id=CVE-2024-31449
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:7.0.15-2
Done: Chris Lamb <la...@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1084...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 09 Oct 2024 13:41:44 -0700
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.15-2
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <la...@debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Closes: 1084805
Changes:
redis (5:7.0.15-2) unstable; urgency=high
.
* Fix three new security vulnerabilities:
.
- CVE-2024-31227: An authenticated with sufficient privileges could have
created a malformed ACL selector which, when accessed, triggered a server
panic and subsequent denial of service.
.
- CVE-2024-31228: Authenticated users could have triggered a
denial-of-service by using specially crafted, long string match patterns
on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION
LIST`, `COMMAND | LIST` and ACL definitions. Matching of extremely long
patterns may have resulted in unbounded recursion, leading to stack
overflow
and process crash.
.
- CVE-2024-31449: An authenticated user may have used a specially crafted
Lua script to trigger a stack buffer overflow in the bit library, which
may have potentially led to remote code execution.
.
(Closes: #1084805)
.
* Correct a link in previous changelog message.
Checksums-Sha1:
9bafb437de37694fad2a2e563ec30f2b2eae96a8 2273 redis_7.0.15-2.dsc
55e8528b1bb915895915e816a9c6a797b1f1c40d 30740 redis_7.0.15-2.debian.tar.xz
012acf34db6ab79a358dbbd974a3e6b79408f83e 7354 redis_7.0.15-2_amd64.buildinfo
Checksums-Sha256:
e39fcc2feb94ee743f901b9ae91b162e1b41d7ee0c54c0c4702cc48d286af673 2273
redis_7.0.15-2.dsc
b72ba287339775d5b99c9e35b7ff3e057c0671e5be584633871ae2a4944b2e6f 30740
redis_7.0.15-2.debian.tar.xz
4951d7d97d8b9c77c31f02cd2c3bb2d1017144fa55d4d6e198ef838e19df94f9 7354
redis_7.0.15-2_amd64.buildinfo
Files:
4a5be94439db51f4cd42cc47723510cd 2273 database optional redis_7.0.15-2.dsc
af1fcc3c760724efe24cce11a4abdd7d 30740 database optional
redis_7.0.15-2.debian.tar.xz
faa8b598243c2f338d5d6d1654187f91 7354 database optional
redis_7.0.15-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmcG61gACgkQHpU+J9Qx
HliA3g//X0FahxSOikmMYqV4T9Kk+BNnA0wrOv4elAqUnD5UhA9wNkPTFL9np3r/
eI/g3P5Fyu6ZV/4DZ29taIqlJbbdhfBtpELMwNst8I7In/+Mj0/Q2GApmyEBwwSU
Ps1DvUIzYgybk8ZSn8+gXBI2XThg0gGBU/ogjk1tNMGPDBM8jIhQtN5A4ey087Eh
rbMclk0Lo8xWOeq8hxb0/wW4ihSYh8dKFqrvLOIsBj1pgcZmxyrRYN5TAaoYmtNb
KjR22ZWWMYtFGf2XDQm/aOuYWFePkkyXQlGSZUlP5tB1LzYUdYgYSbTYYzcVNbrW
aiMfBcm3dJI18U3ROJBnOe1LkXpttmRCqao1cDJwognBbyQpZRnveXJ8PuQZfhUU
gk2xmqgGAI6mHK5TA+eATozc2L8/bTt5uW4HwTM01XyumsfIxrGdxjr62wUErGmb
74xpOp6Ct6a0preajMC0k/AAarnbD8Oxl5AuuJ3tmK/6WUZPFjTQcx6JRpU1twSH
sIJ4dv+15BQi+/xud1gV4vPkczYTYOLXRHT7EPXrwjH3MSuRBU4SzJn8pXZo37pa
1SaKLrh//T8FhLv1zRTjG7TnbsdqTBOtgYWt5/SLQ3c5gnZhkks8MDA0UXuP5Iiw
RevP363jj5mdz52G04BhikLSYVuVm8Bh0onf3IprxjSRjYl8j4w=
=pFmZ
-----END PGP SIGNATURE-----
pgpf8HvC03PC3.pgp
Description: PGP signature
--- End Message ---
