-
redis (5:7.0.15-1build2) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- William Grant <email address hidden> Mon, 01 Apr 2024 18:33:49 +1100
-
redis (5:7.0.15-1build1) noble; urgency=medium
* No-change rebuild against libssl3t64
-- Steve Langasek <email address hidden> Mon, 04 Mar 2024 21:11:16 +0000
-
redis (5:7.0.15-1) unstable; urgency=medium
* New upstream security release:
- CVE-2023-41056: In some cases, Redis may incorrectly handle resizing of
memory buffers which can result in incorrect accounting of buffer sizes
and lead to heap overflow and potential remote code execution.
(Closes: #1060316)
- For more information, please see:
<https://raw.githubusercontent.com/redis/redis/7.2/00-RELEASENOTES>
* Refresh patches.
-- Chris Lamb <email address hidden> Tue, 09 Jan 2024 13:42:30 +0000
-
redis (5:7.0.14-2) unstable; urgency=medium
* Drop ProcSubset=pid hardening flag from the systemd unit files it appears
to cause crashes with memory allocation errors. A huge thanks to Arnaud
Rebillout <email address hidden> for the extensive investigation.
(Closes: #1055039)
-- Chris Lamb <email address hidden> Tue, 31 Oct 2023 16:34:25 +0100
-
redis (5:7.0.14-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-45145: On startup, Redis began listening on a Unix socket before
adjusting its permissions to the user-provided configuration. If a
permissive umask(2) was used, this created a race condition that enabled,
during a short period of time, another process to establish an otherwise
unauthorized connection. (Closes: #1054225)
* Refresh patches.
-- Chris Lamb <email address hidden> Thu, 19 Oct 2023 15:50:56 +0100
-
redis (5:7.0.12-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-24834: A specially-crafted Lua script executing in Redis could
have triggered a heap overflow in the cjson and cmsgpack libraries and
result in heap corruption and potentially remote code execution. The
problem exists in all versions of Redis with Lua scripting support and
affects only authenticated/authorised users.
- CVE-2023-36824: Extracting key names from a command and a list of
arguments may, in some cases, have triggered a heap overflow and result
in reading random heap memory, heap corruption and potentially remote
code execution. (Specifically using COMMAND GETKEYS* and validation of
key names in ACL rules). (Closes: #1040879)
For more information, please see:
<https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES>
-- Chris Lamb <email address hidden> Wed, 12 Jul 2023 10:07:09 +0100
