Your message dated Wed, 08 Jan 2025 15:13:18 +0000
with message-id <e1tvxke-007p3i...@fasolo.debian.org>
and subject line Bug#1092372: fixed in redict 7.3.2+ds-1
has caused the Debian Bug report #1092372,
regarding redict: CVE-2024-46981 CVE-2024-51741
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1092372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092372
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: redict
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for redict.
CVE-2024-46981[0]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated user may use a specially crafted Lua script to
| manipulate the garbage collector and potentially lead to remote code
| execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An
| additional workaround to mitigate the problem without patching the
| redis-server executable is to prevent users from executing Lua
| scripts. This can be done using ACL to restrict EVAL and EVALSHA
| commands.
Redis advisory:
https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c
https://codeberg.org/redict/redict/commit/d12b0cf438664a14999b23a6a1c5b6f39a5f7e37
CVE-2024-51741[1]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated with sufficient privileges may create a malformed
| ACL selector which, when accessed, triggers a server panic and
| subsequent denial of service. The problem is fixed in Redis 7.2.7
| and 7.4.2.
Redis advisory:
https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9
https://codeberg.org/redict/redict/commit/ba5dcb3b161e357de95ec7aa4ab03688559e7222
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-46981
https://www.cve.org/CVERecord?id=CVE-2024-46981
[1] https://security-tracker.debian.org/tracker/CVE-2024-51741
https://www.cve.org/CVERecord?id=CVE-2024-51741
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: redict
Source-Version: 7.3.2+ds-1
Done: Maytham Alsudany <maytha8the...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
redict, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1092...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Maytham Alsudany <maytha8the...@gmail.com> (supplier of updated redict package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 08 Jan 2025 21:10:54 +0800
Source: redict
Architecture: source
Version: 7.3.2+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Redict Maintainers <team+red...@tracker.debian.org>
Changed-By: Maytham Alsudany <maytha8the...@gmail.com>
Closes: 1092372
Changes:
redict (7.3.2+ds-1) unstable; urgency=medium
.
* New upstream version 7.3.2
* Contains fixes for CVE-2024-46981 and CVE-2024-51741 (Closes: #1092372)
Checksums-Sha1:
5991cc54a1123fd8c2b0ba5fb74469a018c4f019 2417 redict_7.3.2+ds-1.dsc
3056f65220e362917f6300c01c470ffc578415ca 1741828 redict_7.3.2+ds.orig.tar.xz
f1c8e9fd8955c9ac621a12cf560a22936f4499a7 13448 redict_7.3.2+ds-1.debian.tar.xz
deee6fa4563e3a2187cf53f750d0b0ec15ac6512 7745 redict_7.3.2+ds-1_amd64.buildinfo
Checksums-Sha256:
d0756c21a7d7402d5a8927165c856b3db95e13ada071d99dd6378b4f5febafe1 2417
redict_7.3.2+ds-1.dsc
83f088118509913fb487a4b08adedc759d7323c4cd7ad2637fc9b7568af0c179 1741828
redict_7.3.2+ds.orig.tar.xz
050e2671a15c8e3dc7484ba5a3a5a1a112a84a5f046abecb98412a1774c11fb5 13448
redict_7.3.2+ds-1.debian.tar.xz
b12e07bec74066a8b1cdd147ec58d99183b2b202129c7b089f130fc7b1e5ca81 7745
redict_7.3.2+ds-1_amd64.buildinfo
Files:
00a1fdd65b7d3eac5f1d83c290e51c15 2417 database optional redict_7.3.2+ds-1.dsc
233a2f1caeed1d66ff80790893370da9 1741828 database optional
redict_7.3.2+ds.orig.tar.xz
52894d9429bbab27ba504c9527568329 13448 database optional
redict_7.3.2+ds-1.debian.tar.xz
4514b241ac2c0cf70243b97be1b3c2a4 7745 database optional
redict_7.3.2+ds-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJMBAEBCgA2FiEESl/RzRFQh8wD3DXB1ZeJcgbF8H8FAmd+hbsYHG1heXRoYTh0
aGVkZXZAZ21haWwuY29tAAoJENWXiXIGxfB/7gAP/iqVOkuj++Tv0aaCHpDhc0U1
lc2NdzIkb44co1ykTHBIkGzL28X5yfCEpDSXvtY5fNjc7J33V60bZ3+EAD+5aNvS
iNuvNpgSPc4CF0dwVSj8w15ZUD/giBx62WxDT0SxDQGm4N4ONQZfQgdXKqa7RjZj
ozIv0L1o5GNYiZFtywS0HUuZACkG7C7M2ZsussfLhqNCxwK/4xoiTfiZnoRRf1jS
I2WbZ6pBV4QcOT+oxewRaVWOqswpxYsBu7madKFaEBMxfRIiXG9eoDX33wNrZDYH
09F3LfQnO+V+DokePOnMS33Fz0ZW9oag7+Os9Rejp+sjWF/GMIY87NtM5Eq715ju
YJ6Bxu3WnyqGdagGWL2vXtu9ty3ser1kkdnCrSs/MZAXKrPAcyuYifp8g7caD/B6
3NVoPz7EX9zLK9l8W7SEmFv/uJkpA43/Z/cjyBn6FJk/i5rgWSsYy2tFfSixqR2e
8CvtTLBYirlUEw99xCP4fHShLQntssEtopP0sVKBC2PgZ4TsCHPBE8j2hlgrVCQI
i4r9UsAbsOUFlvVgVeoazEpGepLCG3Vz1xxkcAZGDwBxsqyi8Q6bwm4fOHWyYGuD
6tAweCsJcumeNg80ymsVLj/qyHDvWg/sngd3Z5K9Ftiqq9T52oXnlieeYNByrX29
rkpnBeylqb7St24s3wfP
=8F/K
-----END PGP SIGNATURE-----
pgpT7dCWxSb6c.pgp
Description: PGP signature
--- End Message ---
