Your message dated Sat, 25 Mar 2023 13:19:19 +0000
with message-id <[email protected]>
and subject line Bug#1033340: fixed in redis 5:7.0.10-1
has caused the Debian Bug report #1033340,
regarding redis: CVE-2023-28425
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1033340: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033340
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: redis
Version: 5:7.0.9-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for redis.

Note this is not strictly speaking RC severity for the CVE issue, but
it's only present in unstable, so let's avoid it might go to testing.

Speaking of redis and bookworm, with the fix here applied, can you
have a look at the regessions, and help redis migrate to testing?

CVE-2023-28425[0]:
| Redis is an in-memory database that persists on disk. Starting in
| version 7.0.8 and prior to version 7.0.10, authenticated users can use
| the MSETNX command to trigger a runtime assertion and termination of
| the Redis server process. The problem is fixed in Redis version
| 7.0.10.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28425
    https://www.cve.org/CVERecord?id=CVE-2023-28425
[1] https://github.com/redis/redis/security/advisories/GHSA-mvmm-4vq6-vw8c

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:7.0.10-1
Done: Chris Lamb <[email protected]>

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Mar 2023 13:04:38 +0000
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.10-1
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1033340
Changes:
 redis (5:7.0.10-1) unstable; urgency=medium
 .
   * New upstream release.
     - CVE-2023-28425: Unauthenticated users could have used the MSETNX command
       to trigger a runtime assertion and termination of the Redis server
       process. (Closes: #1033340)
   * Refresh patches.
   * Bump Standards-Version.
   * Extend our USE_SYSTEM_JEMALLOC patch to support latest version.
Checksums-Sha1:
 8c8f06390ec1f109a8c1997d6607fd716628e4b5 2273 redis_7.0.10-1.dsc
 d5cd28c2907625532bef88828ba478a2f04d9bfa 3017600 redis_7.0.10.orig.tar.gz
 9f0bdd3c53585dc073d71ebcb2458d8cf79eae07 28324 redis_7.0.10-1.debian.tar.xz
 a0d4c3f8e8544102b03c3ad1d9ee04f47359d8f3 7450 redis_7.0.10-1_amd64.buildinfo
Checksums-Sha256:
 a1d6edc8621f3f5d2a61682ee6d3e301501fc0a7ff135f86c3305f02d10ab2bb 2273 
redis_7.0.10-1.dsc
 5be1f61c8ce4216e0ca80c835def3a16eb4a29fa80b2ecd04943eacac9d038ea 3017600 
redis_7.0.10.orig.tar.gz
 0ee125ffbce12406beffec5c17d0db6dae73d8849a54d499aa167329768e326e 28324 
redis_7.0.10-1.debian.tar.xz
 c3a8afccb364426ca198df8efd12604c4eda7d9c9503127f2c103d900e92cf0e 7450 
redis_7.0.10-1_amd64.buildinfo
Files:
 f5781b59873754aca2f3fc43ff0393b9 2273 database optional redis_7.0.10-1.dsc
 c2b06eb38e6094be789ad18aa5b178e2 3017600 database optional 
redis_7.0.10.orig.tar.gz
 107d3d1af5140bc76bd6b29e767150a0 28324 database optional 
redis_7.0.10-1.debian.tar.xz
 34e21632b59c2aaf3e0f5c6958f98772 7450 database optional 
redis_7.0.10-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmQe8kcACgkQHpU+J9Qx
HliWoBAAuKIm9G9ZE75kgYKTQOhaEGQz1xolM/tlL2PvFguVI1+McrSUe7uVggpw
Cw7KMHlfCdcky9ImeWFc3PJ+t27A1bhe17oMmyddGQ8515M8eC/AaVSAB32SW+fl
ZKRqGDo5tULWTqz1Ycqpt8bdoVxnYUzr9OZHlvKekZ0ygX7X8pwPzwKtIWMDlXgS
sYBiMpH5VqaEb/odRVnMRs/rXJ7isvsTGFHq4XS+UFmuuyWe9RbwB6jrUpiJig3h
3HmUGUvWZ0OWrdCCnkQ3yRAYCRbrXoeA2uW6LYxugTCEgV8DuwE5p56QaqF1sPnl
NDQBiWp2stvIHIeWUvSQNj6P6T4v4LL780iKjdZUfHIkqOaSddluCZrfG/hL8uC5
xytn/M9yMWBolLIbt7aPM7FpCrWLb0QeWdaWEpiinRNth7wtXXMTRFcDHX9VpiR/
EK1k0Op0SNxtniEdIhLB/XwLd5PQeh0bpP2MUCsZ4WNXMNF0J4KANaBb9V+Rlzzl
SQL6VnjwDTqKSeGQyoldalGwmvpx1ulCTenWgilrYFkRVuZBuI9YqcXn5R9zTtFo
D9DyZ6NikfnM8LRwAT0cU68yccBS4FP85m57On7qSmmuvcdw1y9HJ+q0ADQnC8pO
pevbrBjim1FlcrGdHm1uwgNOqG6UkzAV5J+VhDxViE9JHLLdTGA=
=M5Xy
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to