Your message dated Tue, 14 Jan 2025 04:21:34 +0000
with message-id <e1txyqo-001ze4...@fasolo.debian.org>
and subject line Bug#1092371: fixed in valkey 8.0.2+dfsg1-1
has caused the Debian Bug report #1092371,
regarding valkey: CVE-2024-46981 CVE-2024-51741
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1092371: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092371
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: valkey
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for valkey.
CVE-2024-46981[0]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated user may use a specially crafted Lua script to
| manipulate the garbage collector and potentially lead to remote code
| execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An
| additional workaround to mitigate the problem without patching the
| redis-server executable is to prevent users from executing Lua
| scripts. This can be done using ACL to restrict EVAL and EVALSHA
| commands.
Redis advisory:
https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c
Fix:
https://github.com/valkey-io/valkey/commit/4ffd3ebdeb028d0b9e50cf5986e9f1b6a2e1c031
CVE-2024-51741[1]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated with sufficient privileges may create a malformed
| ACL selector which, when accessed, triggers a server panic and
| subsequent denial of service. The problem is fixed in Redis 7.2.7
| and 7.4.2.
Redis advisory:
https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9
Fix:
https://github.com/valkey-io/valkey/commit/7977c55ac9bea7d1443c32ef5ec020767c086d3a
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-46981
https://www.cve.org/CVERecord?id=CVE-2024-46981
[1] https://security-tracker.debian.org/tracker/CVE-2024-51741
https://www.cve.org/CVERecord?id=CVE-2024-51741
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: valkey
Source-Version: 8.0.2+dfsg1-1
Done: Lucas Kanashiro <kanash...@debian.org>
We believe that the bug you reported is fixed in the latest version of
valkey, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1092...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lucas Kanashiro <kanash...@debian.org> (supplier of updated valkey package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 13 Jan 2025 23:55:00 -0300
Source: valkey
Architecture: source
Version: 8.0.2+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Lucas Kanashiro <kanash...@debian.org>
Changed-By: Lucas Kanashiro <kanash...@debian.org>
Closes: 1092371
Changes:
valkey (8.0.2+dfsg1-1) unstable; urgency=medium
.
[ Christian Göttsche ]
* 0003-Use-get_current_dir_name-over-PATHMAX.patch: free allocated memory
* d/rules: enable LTO
* valkey-tools.postinst: create directories with default SELinux context
.
[ Lucas Kanashiro ]
* New upstream version 8.0.2+dfsg1
- Fixes CVE-2024-46981 and CVE-2024-51741 (Closes: #1092371)
Checksums-Sha1:
90dd3ff4bdb61b00433daff7f39e01d982a44720 2243 valkey_8.0.2+dfsg1-1.dsc
bd0956a64269ce0f4ca3e04118a617df27cfa107 2598612 valkey_8.0.2+dfsg1.orig.tar.xz
5297afd81eec0b1ccd39cb8bcff3db7f93fed6bc 15856
valkey_8.0.2+dfsg1-1.debian.tar.xz
Checksums-Sha256:
53186bf82c9db6c225c9c04d27aaee8b165fdad18cfc23919e9355181dc2655f 2243
valkey_8.0.2+dfsg1-1.dsc
236e07b2e594d1cac3524d26dc40faf9d93ef3c899e91364a84b45f8417065e3 2598612
valkey_8.0.2+dfsg1.orig.tar.xz
4bf66c493d0008ca9cfaa65d379f161f75076b819f366a84c350a9c579a6ab06 15856
valkey_8.0.2+dfsg1-1.debian.tar.xz
Files:
6fbfbb6b353aa23130cd6c50d09b6309 2243 database optional
valkey_8.0.2+dfsg1-1.dsc
61204c54a8d6a3bcc0642eea1976b8c5 2598612 database optional
valkey_8.0.2+dfsg1.orig.tar.xz
1457bf92a7989b7c315c55122933d6fb 15856 database optional
valkey_8.0.2+dfsg1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmeF4qAVHGthbmFzaGly
b0BkZWJpYW4ub3JnAAoJEPgjonKYg8l8+N0P/RiPstSLtUByNdXPiKPvDiMInKGX
+9p806fjPmlNDLj57Oq9L46tiGWqe0tv+lLFuJwt2L37bCXNwk+h0qu6cwdC45gk
TCtgmNosFO3USd2+FsgVkQTfIwtldojUjy7IATWdEXtqjpMcKrtF53RXnLZ+T68/
H67smx5WyT4BB9p49Z/tLLJ8z4kI0iQUmBHbjaIPXqvcSZS4zqM1UulCAHGQTEje
O0mEN6f/gGMOtYgoGRZiIf9i0KVhzismT/j4W3nGcDZKa58CYtcCig/7UuK5oHn5
ZeiM/evYUzH7wx28i/uD+lTs4lzSQn2d2rwdUXhG7k8cJrOM4l3Gn/fatSUDS+v1
xocYgEVgXoc6q6LgwRNbd0ZJF8JN70iikJChJNwxmIvrf75F6zgcEknjlFHmzBN9
qQCUkh3vucJ+nwyhPMVXFl0m6FaEnL6VWJo+GqILkauGeLvBqKBuLzqA4yLAPPtM
maUuxsw+eypZAZWfkW+ycGoTyUye+JbRIQ2JooXGvbzZybrNQ7sKdhdzrjoiZyEU
IJGgQ3v9M63bPgOOkkNQVEjXMKVX/3GdNTMiSs3U3rF7+Ov3+b5uLGoMykCt4yEw
o0770JRBpnkuaos05BdHDTZKtGGeXHBYAKTeVl+iBHPpBiWIBCkJtecm4iSGBngB
KYn3WOsKabqpFh05
=OrNi
-----END PGP SIGNATURE-----
pgpIgKI7j93tb.pgp
Description: PGP signature
--- End Message ---
