Your message dated Tue, 21 Jan 2025 10:21:12 +0000
with message-id <e1tabng-002rfh...@fasolo.debian.org>
and subject line Bug#1092370: fixed in redis 5:7.2.5-3
has caused the Debian Bug report #1092370,
regarding redis: CVE-2024-46981 CVE-2024-51741
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1092370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092370
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: redis
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for redis.
CVE-2024-46981[0]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated user may use a specially crafted Lua script to
| manipulate the garbage collector and potentially lead to remote code
| execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An
| additional workaround to mitigate the problem without patching the
| redis-server executable is to prevent users from executing Lua
| scripts. This can be done using ACL to restrict EVAL and EVALSHA
| commands.
https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c
https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf
(7.2.7)
CVE-2024-51741[1]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated with sufficient privileges may create a malformed
| ACL selector which, when accessed, triggers a server panic and
| subsequent denial of service. The problem is fixed in Redis 7.2.7
| and 7.4.2.
https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9
https://github.com/redis/redis/commit/15e212bf69de28d2b4585aa79cc2a40f49e4a94d
(7.2.7)
What is the status of Redis for Trixie given upstream's license change,
do you still intend to include it in Trixie or will it be dropped in
favour of src:valkey and src:redict? If the former, do we have some
assurance that security fixes can still be backported to older releases
even if the patch was made for an SSPLed branch?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-46981
https://www.cve.org/CVERecord?id=CVE-2024-46981
[1] https://security-tracker.debian.org/tracker/CVE-2024-51741
https://www.cve.org/CVERecord?id=CVE-2024-51741
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:7.2.5-3
Done: Chris Lamb <la...@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1092...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 21 Jan 2025 10:00:03 +0000
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.2.5-3
Distribution: experimental
Urgency: high
Maintainer: Chris Lamb <la...@debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Closes: 1092370
Changes:
redis (5:7.2.5-3) experimental; urgency=high
.
* Fix two security vulnerabilities:
.
- CVE-2024-46981: An authenticated user could have used a specially-crafted
Lua script to manipulate the garbage collector and potentially lead to
remote code execution.
.
* CVE-2024-51741: An authenticated user with sufficient privileges may have
created a malformed ACL selector which, when accessed, would have
triggered a server panic and subsequent denial of service.
.
(Closes: #1092370)
Checksums-Sha1:
0944c1ca3b4dad7f68de397d367c7450c6c43007 2231 redis_7.2.5-3.dsc
dc55b08f65061b5e5c82fa6bb9a7918efe107af7 31660 redis_7.2.5-3.debian.tar.xz
16957cf3b24f61297fd65cad38fa74f3e601e653 7407 redis_7.2.5-3_amd64.buildinfo
Checksums-Sha256:
8d45273a6877c10e8d9df0f7b16938c08d0d9cad8b4c1fd13e80c6e060b414a7 2231
redis_7.2.5-3.dsc
c31511a2333e05b1144cae4ba9e8d13144b6c984052239199553bdebe0989863 31660
redis_7.2.5-3.debian.tar.xz
703583601a7d587a454f0c5c0face093ff4a407e6096a513b51d61257f82ad14 7407
redis_7.2.5-3_amd64.buildinfo
Files:
5a1bad846d635e5665827de634352d74 2231 database optional redis_7.2.5-3.dsc
ad887ac98263585cb4585a882ead64b3 31660 database optional
redis_7.2.5-3.debian.tar.xz
44f4644c1c1af474e73072b77fe17fca 7407 database optional
redis_7.2.5-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmePckgACgkQHpU+J9Qx
Hlg7XA/+IGj/BC/6W0WJHYdfz5RYij93nUXUUlSEFAhlxFKTGSv62O+E5GzxIQnn
Us6ieeY2TbAPnMeTWK4ayEkbiaA1NRyK6K23plaQwoYGXgORrMI9196/FqbHDmi0
I2sSEqwK3VNDnJVZfbdXGYMlJLWznUE6jAupnMDHWrWwwUD1OXq3ozlgzZrKzPIZ
GEBIfnzxAEWMiaik1Hlpyfnsomq++JW8KtO0uMAUb8cOZeaZi60dNTOiuRuZMc5d
pYYIdndWygl2Oz/92dZc5CUX4g1K206YLQuBXs9KQk5STST6Oue1pzUVbloKK9i/
bVATw9FdKUsAcXSZBvNqoX9vNUWQkmoGkeAwF84XCdgW/GrLeznzsZEYl7R8sdiw
6JhvM1BzpH7nybtSE7ZY2jsJPCvcX7OE1nUP9tdIYYgXHkBIyweJOiT5dlmwF7X/
MS6dS4e9bzbZUZr85djlh0aK7vwazem8viOj7QKU+WMwckRMmThprNW0h9pRMYul
LbnC2sDc8J0LePNA+7CCR5B0eXusliPp1rwla5YUgPdmtRkhxxEQ7f2jqLfr6wLN
M2eo3bfh62ZKoCDBBBPB1UTyYX8AbGNG1SAgpsotlxSj6avFb6BKARSwn7q0iRYm
w8nRsWILHaNaRwjt1hWQc3nNoZSwp0mSaGf01KmJlR6N+OEnBZU=
=BSx3
-----END PGP SIGNATURE-----
pgpD_dvstnsaN.pgp
Description: PGP signature
--- End Message ---
