Source: redis X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for redis. CVE-2024-46981[0]: | Redis is an open source, in-memory database that persists on disk. | An authenticated user may use a specially crafted Lua script to | manipulate the garbage collector and potentially lead to remote code | execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An | additional workaround to mitigate the problem without patching the | redis-server executable is to prevent users from executing Lua | scripts. This can be done using ACL to restrict EVAL and EVALSHA | commands. https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf (7.2.7) CVE-2024-51741[1]: | Redis is an open source, in-memory database that persists on disk. | An authenticated with sufficient privileges may create a malformed | ACL selector which, when accessed, triggers a server panic and | subsequent denial of service. The problem is fixed in Redis 7.2.7 | and 7.4.2. https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9 https://github.com/redis/redis/commit/15e212bf69de28d2b4585aa79cc2a40f49e4a94d (7.2.7) What is the status of Redis for Trixie given upstream's license change, do you still intend to include it in Trixie or will it be dropped in favour of src:valkey and src:redict? If the former, do we have some assurance that security fixes can still be backported to older releases even if the patch was made for an SSPLed branch? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-46981 https://www.cve.org/CVERecord?id=CVE-2024-46981 [1] https://security-tracker.debian.org/tracker/CVE-2024-51741 https://www.cve.org/CVERecord?id=CVE-2024-51741 Please adjust the affected versions in the BTS as needed.
