Am Wed, Feb 24, 2021 at 11:17:55AM +0000 schrieb Chris Lamb:
> Chris Lamb wrote:
>
> > Package: redis
> > Version: 3:3.2.6-3+deb9u3
> [..]
> > CVE-2021-21309:
> > https://groups.google.com/g/redis-db/c/fV7cI3GSgoQ/m/ocwV-MlzAgAJ
>
> Security team, would you like an upload to stretch-security or should
> this go via s-p-u? I mention that option specifically as the s-p-u route
> might permit us to go from 5.0.3 → 5.0.11, fixing a number of other
> fairly high priority bugs as well.
Hi Chris,
given that this only affects 32 bit archs and only with an inherently insecure
setup (opening up the default bulk size to such high values might impact all
kinds of stability / availability I guess) I don't think this needs a DSA.
So s-p-u or piggybacking with the next DSA seems fine to me.
Cheers,
Moritz
