Your message dated Fri, 09 May 2025 21:06:02 +0000
with message-id <e1uduuw-009k7b...@fasolo.debian.org>
and subject line Bug#1104010: fixed in redis 5:7.0.15-3.1
has caused the Debian Bug report #1104010,
regarding redis: CVE-2025-21605
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1104010: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104010
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: redis
Version: 5:7.0.15-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 5:7.0.15-1~deb12u3
Control: found -1 5:7.0.15-1
Hi,
The following vulnerability was published for redis.
CVE-2025-21605[0]:
| Redis is an open source, in-memory database that persists on disk.
| In versions starting at 2.6 and prior to 7.4.3, An unauthenticated
| client can cause unlimited growth of output buffers, until the
| server runs out of memory or is killed. By default, the Redis
| configuration does not limit the output buffer of normal clients
| (see client-output-buffer-limit). Therefore, the output buffer can
| grow unlimitedly over time. As a result, the service is exhausted
| and the memory is unavailable. When password authentication is
| enabled on the Redis server, but no password is provided, the client
| can still cause the output buffer to grow from "NOAUTH" responses
| until the system will run out of memory. This issue has been patched
| in version 7.4.3. An additional workaround to mitigate this problem
| without patching the redis-server executable is to block access to
| prevent unauthenticated users from connecting to Redis. This can be
| done in different ways. Either using network access control tools
| like firewalls, iptables, security groups, etc, or enabling TLS and
| requiring users to authenticate using client side certificates.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-21605
https://www.cve.org/CVERecord?id=CVE-2025-21605
[1] https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:7.0.15-3.1
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1104...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 09 May 2025 16:03:22 +0300
Source: redis
Architecture: source
Version: 5:7.0.15-3.1
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <la...@debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1104010
Changes:
redis (5:7.0.15-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-21605: Limit output buffer for unauthenticated clients
(Closes: #1104010)
Checksums-Sha1:
a749caea5b8dcf6c5dffb1c8c303549d42dbd7b7 2281 redis_7.0.15-3.1.dsc
1b8cc8695317590ab2981dfdbcbfe36444af52df 32536 redis_7.0.15-3.1.debian.tar.xz
Checksums-Sha256:
982ac9adbda0c6cdc87472445caee2c621bd99718a3b4f06d9affb4613e1ca51 2281
redis_7.0.15-3.1.dsc
21f3ddc381287722094a2b496097b3dca5fa94854f651323a98e92c816d1e4a7 32536
redis_7.0.15-3.1.debian.tar.xz
Files:
225b34125585f12a8b14221bb4badcd4 2281 database optional redis_7.0.15-3.1.dsc
289263a24111f902ece8cc38e5aaf734 32536 database optional
redis_7.0.15-3.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmgea40ACgkQiNJCh6LY
mLHddw//Z1O20XnGQ2F7qOK+HZKlxzoazy3+2qOBsqggGirX+VSAA715tbV3sCgn
DuHihNC12m3tQ3351/TRJU8g8pqfRgKX1lxnjgYs03Y5hiWbA6Wt3oINEuAkurHV
qdpGUQajpnrpjp/FZVXYTUFMgL/SZrp2T2Md/0IbJn6vSt/YsL6qREjgYQkM22Z1
PQb4ReyFU2YHCHoVov39tthYm8G8u41cUU5rDst1OwllfOVG/+X6Af1dqOXN5p6l
x5wGwkx8rN4NT9BGXIIYmuTFkXNtfCcYxbb2fa0xjjUPWq55ef24Q6IbT6YhtWjD
UvB3L7tFHtz6cdtWIJMyVOTM2F2zyta3CYbKuEQJqLLowFBiNXOGZpMtR5qMc5R/
xl1wg8Dw/lkQAuxaJRJINXiBe0wXjiyWfJeu2I1aHKGoYV9Atk/+0IKZIgptp+sJ
yrloP2BAiHYQHrx4zS/sfjRma8jJKToNKXOuh4qeMxI6fOZob4qDQxgH849nlKiU
Z7Kla9+VN7Gvch+x1Fw6Nas5d0pYHSvTSXZbWoJ84cM/yKL/x39RtPVdG4Ih7km2
5i3/QtJb4MTjG0b6lLT4CXrJOO+9+Xt4RYJDdEO9qPJaKrU8vLdj9q9g7BfGgslB
eZLa6yFmTCQNBgP+QYd1rkcWvm25e3zslGHHSVqc+nkmOkXKigM=
=A8S4
-----END PGP SIGNATURE-----
pgp3txc6E6AxP.pgp
Description: PGP signature
--- End Message ---
