Your message dated Sat, 10 May 2025 17:17:10 +0000
with message-id <e1udnp0-00dcnl...@fasolo.debian.org>
and subject line Bug#1104010: fixed in redis 5:7.0.15-1~deb12u4
has caused the Debian Bug report #1104010,
regarding redis: CVE-2025-21605
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1104010: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104010
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: redis
Version: 5:7.0.15-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 5:7.0.15-1~deb12u3
Control: found -1 5:7.0.15-1
Hi,
The following vulnerability was published for redis.
CVE-2025-21605[0]:
| Redis is an open source, in-memory database that persists on disk.
| In versions starting at 2.6 and prior to 7.4.3, An unauthenticated
| client can cause unlimited growth of output buffers, until the
| server runs out of memory or is killed. By default, the Redis
| configuration does not limit the output buffer of normal clients
| (see client-output-buffer-limit). Therefore, the output buffer can
| grow unlimitedly over time. As a result, the service is exhausted
| and the memory is unavailable. When password authentication is
| enabled on the Redis server, but no password is provided, the client
| can still cause the output buffer to grow from "NOAUTH" responses
| until the system will run out of memory. This issue has been patched
| in version 7.4.3. An additional workaround to mitigate this problem
| without patching the redis-server executable is to block access to
| prevent unauthenticated users from connecting to Redis. This can be
| done in different ways. Either using network access control tools
| like firewalls, iptables, security groups, etc, or enabling TLS and
| requiring users to authenticate using client side certificates.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-21605
https://www.cve.org/CVERecord?id=CVE-2025-21605
[1] https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:7.0.15-1~deb12u4
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1104...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 09 May 2025 19:15:20 +0300
Source: redis
Architecture: source
Version: 5:7.0.15-1~deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: Chris Lamb <la...@debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1104010
Changes:
redis (5:7.0.15-1~deb12u4) bookworm; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-21605: Limit output buffer for unauthenticated clients
(Closes: #1104010)
Checksums-Sha1:
0ef13ca05bc0eac1ff7d63082a6b19df6a665df3 2305 redis_7.0.15-1~deb12u4.dsc
b5d51660215a5402d146b8ec045ae712a14783de 3025940 redis_7.0.15.orig.tar.gz
971f31292e2ec7cf1d4433625f0fe4294d24d437 32744
redis_7.0.15-1~deb12u4.debian.tar.xz
Checksums-Sha256:
56058581aec1b1464e7d969e79143a36c857840ef4c71f800ad84f4f6b7cc82a 2305
redis_7.0.15-1~deb12u4.dsc
4b1dc4ee6d622a09fff9c6777191209750fb5e5a725ef78ea012d6eef4c22982 3025940
redis_7.0.15.orig.tar.gz
29834dea5c15a7f427419b5465e88e45b28c0138b382c484264513a4d3fb6df6 32744
redis_7.0.15-1~deb12u4.debian.tar.xz
Files:
bda4655981eca83fb19961a90921f13e 2305 database optional
redis_7.0.15-1~deb12u4.dsc
d4572b9ddf01b3aeeb43859119ad62f9 3025940 database optional
redis_7.0.15.orig.tar.gz
58a74a771c828bcefc510c524ba95a0a 32744 database optional
redis_7.0.15-1~deb12u4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmgfa3sACgkQiNJCh6LY
mLGAYw/+NCxXSnwl1vL4UlIp64B8Dd74VasXxW00qrQ+d/g4UbyRN3RdPL5ryGEf
vIZ4SfvcDtfFtxBgsAQOAvQE+TwKLLSe4YMC3EFbYbbhQ74cwh6u6LydwpZsAkE7
GQ8RwQmu2bmXH2h4SfY2rUTzLz18QsHGG/sItSJXd/Hc8IgH11Wwcc+3gxXJEUTp
9gwp7g1aFBntPDa07ojqbQVjL8PnXnXwri2/hh9i0NvLCAlzL3nrCWpCjxQWLFUU
nlqS4b4SuFMRI/Xjl91V+obsmcw4e6EcBkiUov9MMIESaIVwW7oEl6xvAxcktPEa
BybfR4yMcJVKrSiMMjLx4bZL5RYTuAzKXNTsmh7iNlK9c2YIcXcA2KbosfPfDtMA
PkdnjzneSufoEv0JU2V+PFqgXF3+itSdhpWGgRwwMa9fqOF/3ElWj6IgHC6meIf2
+DSRhm8ENVYk7He3czNOkw5MOKbz1m73jaPDiIsHBNfdLqgkDrydF5+PkxJthPcZ
Zv2fAipYt8/6ozRtJHK9a/WKhzqzsAmf5RI0OnEXkQKwXhPlWzIFkZr30kKSuxco
1mO7b8hYzkTegBSKC5NYhOI0IwwiGLZs7x0agrUfhN7JyH9IO64PyDmN8C9qX6nR
ADEf9k+kCcNUq8NS2eHQ3fEoDL27U3ThKHeP6tOgrwQ3Fefb2rQ=
=eWwP
-----END PGP SIGNATURE-----
pgpIPewxtR4y_.pgp
Description: PGP signature
--- End Message ---
