Your message dated Fri, 06 Dec 2024 13:55:33 +0000
with message-id <e1tjynt-003o5i...@fasolo.debian.org>
and subject line Bug#1084805: fixed in redis 5:7.0.15-1~deb12u2
has caused the Debian Bug report #1084805,
regarding redis: CVE-2024-31227 CVE-2024-31228 CVE-2024-31449
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1084805: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084805
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: redis
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for redis.
CVE-2024-31227[0]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated with sufficient privileges may create a malformed
| ACL selector which, when accessed, triggers a server panic and
| subsequent denial of service. The problem exists in Redis 7 prior to
| versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.
https://github.com/redis/redis/security/advisories/GHSA-38p4-26x2-vqhh
https://github.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298a
(7.2.6)
CVE-2024-31228[1]:
| Redis is an open source, in-memory database that persists on disk.
| Authenticated users can trigger a denial-of-service by using
| specially crafted, long string match patterns on supported commands
| such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND
| LIST` and ACL definitions. Matching of extremely long patterns may
| result in unbounded recursion, leading to stack overflow and process
| crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6,
| and 7.4.1. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.
https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976
https://github.com/redis/redis/commit/c8649f8e852d1dc388b5446e003bb0eefa33d61f
(7.2.6)
CVE-2024-31449[2]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated user may use a specially crafted Lua script to
| trigger a stack buffer overflow in the bit library, which may
| potentially lead to remote code execution. The problem exists in all
| versions of Redis with Lua scripting. This problem has been fixed in
| Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.
https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5
https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71
(7.2.6)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-31227
https://www.cve.org/CVERecord?id=CVE-2024-31227
[1] https://security-tracker.debian.org/tracker/CVE-2024-31228
https://www.cve.org/CVERecord?id=CVE-2024-31228
[2] https://security-tracker.debian.org/tracker/CVE-2024-31449
https://www.cve.org/CVERecord?id=CVE-2024-31449
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:7.0.15-1~deb12u2
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1084...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 Nov 2024 23:28:52 +0200
Source: redis
Architecture: source
Version: 5:7.0.15-1~deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Chris Lamb <la...@debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1084805
Changes:
redis (5:7.0.15-1~deb12u2) bookworm; urgency=medium
.
* Non-maintainer upload.
* CVE-2024-31227: DoS with malformed ACL selectors
* CVE-2024-31228: unbounded pattern matching DoS
* CVE-2024-31449: Lua bit library stack overflow
* Closes: 1084805
Checksums-Sha1:
6790e986ce807f01fdd1d38d7fd3add76325f55f 2305 redis_7.0.15-1~deb12u2.dsc
b5d51660215a5402d146b8ec045ae712a14783de 3025940 redis_7.0.15.orig.tar.gz
6d8883da59151b02a22d7a0b122e1dfaf7708a98 31012
redis_7.0.15-1~deb12u2.debian.tar.xz
Checksums-Sha256:
81fa87017bafb1dc26299ff935b1ffc37b270bbc08d41b65426da0b7f1ceeb56 2305
redis_7.0.15-1~deb12u2.dsc
4b1dc4ee6d622a09fff9c6777191209750fb5e5a725ef78ea012d6eef4c22982 3025940
redis_7.0.15.orig.tar.gz
76f8b61692e4d6da029bcad7a7dc88bca9e91356fb4c32bc97747eaeb6823603 31012
redis_7.0.15-1~deb12u2.debian.tar.xz
Files:
89a8eebbc5c80b924d668e67af37ec90 2305 database optional
redis_7.0.15-1~deb12u2.dsc
d4572b9ddf01b3aeeb43859119ad62f9 3025940 database optional
redis_7.0.15.orig.tar.gz
41c5a0f32fc1fcb8fa37b278b4696d6a 31012 database optional
redis_7.0.15-1~deb12u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmdMvt8ACgkQiNJCh6LY
mLGXGQ/9HpyRHX4VHkB1TmIYxXDTnF5P16zFns4jdiSHfHllOuWTFACx/Kf9khj+
PM1Ea2mY84QUuYxevHu0dXkwpie5h86+eCQ1d9ph4UZ8PDopE26O45liyk/yyhgP
8rONoYDfVzb77XaSfHqP9qHQHqgf/kQSWAS6pg6yxeOUNGrhrVTlH1qPSzOdYJBU
B35Gma7OJn68RIAhREloTT+RV7+w7XEratX4kRe+SoRseqZkDmznUFOMGHj67/Zw
BCEKndO3sRH/P08zwdiq7DQTn8BOMewkZGrTvyHKXXv+h02Jqkc9sGDmaOFU4U74
YzzPL3WGMDhQevzF14pw35GahlWBAVl0m+JcxF7roOdQCwZ6kqud4FZU2HhvQWMe
o1iEJlGZwuCJDq7jedFgU5HrTmHoy3iLA0Zf/y5R/MJWtlYabIJiNvz6aoUyS3nI
L28TW1lKdAS4QhG+AkOtytzFQJhVlcrO1B1HhUXObJoSLcm5hkn45Nta7HJpy9/K
xWNVWanSkzL0h4E4h/7oTkhyNxqGUZHTYkmYm3EJ10UhhSBcb+9gvzocrOoEwJgX
7lYtHoFgkrtInyBHXkMmjyB3LzDgCpquMEg7c1t+0tMJyP1vWBM2j3mF/dR9aVZf
s4bbNQa6AoqherhlpvkOeNjhj5Rt1ZX0NIwUw9Fkvzsotblez10=
=3YrX
-----END PGP SIGNATURE-----
pgprHldJG0YFX.pgp
Description: PGP signature
--- End Message ---
