Your message dated Tue, 21 Jan 2025 10:20:57 +0000
with message-id <e1tabnr-002rd1...@fasolo.debian.org>
and subject line Bug#1092370: fixed in redis 5:7.0.15-3
has caused the Debian Bug report #1092370,
regarding redis: CVE-2024-46981 CVE-2024-51741
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1092370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092370
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: redis
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for redis.
CVE-2024-46981[0]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated user may use a specially crafted Lua script to
| manipulate the garbage collector and potentially lead to remote code
| execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An
| additional workaround to mitigate the problem without patching the
| redis-server executable is to prevent users from executing Lua
| scripts. This can be done using ACL to restrict EVAL and EVALSHA
| commands.
https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c
https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf
(7.2.7)
CVE-2024-51741[1]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated with sufficient privileges may create a malformed
| ACL selector which, when accessed, triggers a server panic and
| subsequent denial of service. The problem is fixed in Redis 7.2.7
| and 7.4.2.
https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9
https://github.com/redis/redis/commit/15e212bf69de28d2b4585aa79cc2a40f49e4a94d
(7.2.7)
What is the status of Redis for Trixie given upstream's license change,
do you still intend to include it in Trixie or will it be dropped in
favour of src:valkey and src:redict? If the former, do we have some
assurance that security fixes can still be backported to older releases
even if the patch was made for an SSPLed branch?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-46981
https://www.cve.org/CVERecord?id=CVE-2024-46981
[1] https://security-tracker.debian.org/tracker/CVE-2024-51741
https://www.cve.org/CVERecord?id=CVE-2024-51741
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:7.0.15-3
Done: Chris Lamb <la...@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1092...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 21 Jan 2025 10:10:10 +0000
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.15-3
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <la...@debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Closes: 1092370
Changes:
redis (5:7.0.15-3) unstable; urgency=high
.
* Fix two security vulnerabilities:
.
- CVE-2024-46981: An authenticated user could have used a specially-crafted
Lua script to manipulate the garbage collector and potentially lead to
remote code execution.
.
* CVE-2024-51741: An authenticated user with sufficient privileges may have
created a malformed ACL selector which, when accessed, would have
triggered a server panic and subsequent denial of service.
.
(Closes: #1092370)
Checksums-Sha1:
6ee02d48091d57ec8a6901f6ea8b8c502a07d11b 2273 redis_7.0.15-3.dsc
fff36e24a738a779fdddbbfeef3e1c482d3a6429 31688 redis_7.0.15-3.debian.tar.xz
a345a12dd62a146a455bf3e3020654516bea691e 7422 redis_7.0.15-3_amd64.buildinfo
Checksums-Sha256:
fb4c4c9ec5f62a6ba5170de17c8d2d41cf5638af7d34aa758b791749204b2e3d 2273
redis_7.0.15-3.dsc
304620e16a16fb2cbb4221809846706d58f8e44698664c3a508eebb8764e75bd 31688
redis_7.0.15-3.debian.tar.xz
05a1ea8d8eb14c139fdf44494488142ca46626b1d67b828b988c3a0e2db6e360 7422
redis_7.0.15-3_amd64.buildinfo
Files:
2000fb65980d74dffb24807e6a22d447 2273 database optional redis_7.0.15-3.dsc
a27d4439061d81e9ba7cf3c416478713 31688 database optional
redis_7.0.15-3.debian.tar.xz
9cb866d4b73e4b526ff7f18ab8dca837 7422 database optional
redis_7.0.15-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmePc0EACgkQHpU+J9Qx
HljVIA//Qije/mPG7RjLOxltycJuDeeZHn9kqgHYz8zOLYvrQE2gI2DbKw/fWM22
oxrFW3k3auXGQmg44WHBJZImSWsPK9kZuGTjRzb45pfqG2/YZC7jMbE1d7jd4pkr
8ciJ2OzR7adf7OGBO8rTYsgB5clCfHHR1iTW5qx73Cx4CD8XRAL41JxlOhxVlTpv
y9KS7fduDbpjW/tT+39mlWEmh4+YgRoA1l2bUoGzFkmPywjfVypXJy7z78GUFTM3
YZdEUoADDAGnPFxU/k8Ao7d91bVVArK0QBbZjb2LU4j9d5zqKBP/oavKD7mJaX8W
/GTR5zWyz7ktFYjQAPX+fM7rHXzMFisl6MHiMHxAfY/kYsy0/grpxCDKl3bAKjDu
FTg+zpGcDbWG3nkCnnkjjtkj5bhu+cAJtHQlSeid3djEzI5Abe46559jGrjNH3Hu
xFL74138JFfFda7rEZtpzOGLUYLfyHGwHLJ0SxZBjhHZoSvblGavE1Q8U1KQ7vz7
5XYrBJGfEouM/8hPB3uhpScUmNv4JRzQ3rHrQ7uh/qnArmumNo4OFXry4ODO5ywJ
/DBX5rgLTGpci4m0UJMb2H4NudjDuZ/LlxkBeUyzJUd+LsQYg3NF5CosUFRVMhzD
Y/nOJuNFWG8wrUXHcLhRaC+MkGWUfhgMWgYAujwEc6iRi+zokGs=
=Kd0X
-----END PGP SIGNATURE-----
pgpan8WpNeuJW.pgp
Description: PGP signature
--- End Message ---
