Thanks for the debdiff! Unfortunately, as mentioned earlier, going from 2.8.4 to 2.8.24 is too intrusive to be sponsored by the security team. There is no way for us to adequately test how such a big version bump will affect other packages in the archive that depend on redis, or adequately test how it would affect how redis is being used in production by users.
If you are interested in getting a security update sponsored for CVE-2015-4335, I suggest simply backporting the following commit: https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 Much like Debian has done: https://github.com/lamby/pkg- redis/commit/c2b56ef2d39bd681b3f98cd97354790ac19a1ce5 I am unsubscribing ubuntu-security-sponsors for now. Please re-subscribe the group once a new debdiff has been submitted. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1467606 Title: EVAL Lua Sandbox Escape (CVE-2015-4335 / DSA-3279) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/redis/+bug/1467606/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
