Your message dated Sat, 01 Feb 2025 21:32:19 +0000
with message-id <e1tel6b-006clu...@fasolo.debian.org>
and subject line Bug#1092370: fixed in redis 5:7.0.15-1~deb12u3
has caused the Debian Bug report #1092370,
regarding redis: CVE-2024-46981 CVE-2024-51741
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1092370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092370
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: redis
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for redis.
CVE-2024-46981[0]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated user may use a specially crafted Lua script to
| manipulate the garbage collector and potentially lead to remote code
| execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An
| additional workaround to mitigate the problem without patching the
| redis-server executable is to prevent users from executing Lua
| scripts. This can be done using ACL to restrict EVAL and EVALSHA
| commands.
https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c
https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf
(7.2.7)
CVE-2024-51741[1]:
| Redis is an open source, in-memory database that persists on disk.
| An authenticated with sufficient privileges may create a malformed
| ACL selector which, when accessed, triggers a server panic and
| subsequent denial of service. The problem is fixed in Redis 7.2.7
| and 7.4.2.
https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9
https://github.com/redis/redis/commit/15e212bf69de28d2b4585aa79cc2a40f49e4a94d
(7.2.7)
What is the status of Redis for Trixie given upstream's license change,
do you still intend to include it in Trixie or will it be dropped in
favour of src:valkey and src:redict? If the former, do we have some
assurance that security fixes can still be backported to older releases
even if the patch was made for an SSPLed branch?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-46981
https://www.cve.org/CVERecord?id=CVE-2024-46981
[1] https://security-tracker.debian.org/tracker/CVE-2024-51741
https://www.cve.org/CVERecord?id=CVE-2024-51741
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:7.0.15-1~deb12u3
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1092...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 19 Jan 2025 12:41:08 +0200
Source: redis
Architecture: source
Version: 5:7.0.15-1~deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: Chris Lamb <la...@debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1092370
Changes:
redis (5:7.0.15-1~deb12u3) bookworm-security; urgency=medium
.
* Non-maintainer upload.
* CVE-2024-46981: LUA garbage collector code execution
* CVE-2024-51741: DoS due to malformed ACL selectors
* Closes: #1092370
Checksums-Sha1:
afe22c6c0570065fa7d1d0a60d31b5a620eec8e4 2305 redis_7.0.15-1~deb12u3.dsc
b5d51660215a5402d146b8ec045ae712a14783de 3025940 redis_7.0.15.orig.tar.gz
abf5ed0f8dca4aeb4a118098acfe85bb19103272 32024
redis_7.0.15-1~deb12u3.debian.tar.xz
Checksums-Sha256:
fed0bc826a1f2d2c482f25e414b6a4b3f3c666ae23d76f15844abdbbdef84883 2305
redis_7.0.15-1~deb12u3.dsc
4b1dc4ee6d622a09fff9c6777191209750fb5e5a725ef78ea012d6eef4c22982 3025940
redis_7.0.15.orig.tar.gz
9d97effa01b4e08e7ccbd2225c59ee06e358be3688de386fac45e7f919f045d3 32024
redis_7.0.15-1~deb12u3.debian.tar.xz
Files:
39e347424f1b0b92fbf32839c521f8c1 2305 database optional
redis_7.0.15-1~deb12u3.dsc
d4572b9ddf01b3aeeb43859119ad62f9 3025940 database optional
redis_7.0.15.orig.tar.gz
0dfc72ec1b42cdb7f75eda8cd1267777 32024 database optional
redis_7.0.15-1~deb12u3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmeYlPIACgkQiNJCh6LY
mLEOXA//SiJFAZb7A8mMmKbuky4YBC+0LhDD1ATT0hJLtwvmQRqb8rocP56tTo5Q
4FL+3+DaPij+10xmb3c4UahpyU/Xz24McQelgoKHup4bcPWVgoMZ5GCzoTKLlm2C
+CUn56ankqlo/NgF6UxVQ4LkNQC4SEzcJwnwoQH2xIsj6FYDLA8mhX8qI0NTnAbT
uY9w4G3SsqS/13EwuuinABI3xC5ygP4XVi1g/gqGr2WBywTcaziS1eZzqV5FWMtX
csBwIeWrWz0oy8Uwk6O8VmzlfBh/VAwvx92XngfUtJ9LIWVi/cA1umEPVjpJekRm
p7uL/LMJsuctNepoLDFM2bYqb2ipvECT7oxSiZV4WBIaceKS/yUbTaDx4wp3HdKd
SiGZNTnMzIO4qJHtBY1QBkUFtTtKpNo1EHvcE74f+q+SP18bpTlzAjyym+cByYq8
rsAq22BnOMXGp8nXTPHNTWE021kmSnhxrPypjqQv01WqDTSm0Cp6BymwGZrggqfH
LOuYA1A29CXmr6sCfp2B991712Z/X75xH4XRwqstRXNODDTz8Fiobgxim2hlG3NO
GEgspB4W46v8+ICJKW6jZ5s8/Q2T0IvM2xMooxBgTMgqxrGTXGd2T7bRg1KdCcv0
iHTiEyWFOSN6dlLtzYlEcAzILoRi3lRGvdFPnuDXWvp0KH8USAg=
=Buml
-----END PGP SIGNATURE-----
pgp7oSsColaVh.pgp
Description: PGP signature
--- End Message ---
