Your message dated Sat, 02 Aug 2025 17:17:23 +0000
with message-id <[email protected]>
and subject line Bug#1108981: fixed in redis 5:7.0.15-1~deb12u5
has caused the Debian Bug report #1108981,
regarding redis: CVE-2025-48367
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108981: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108981
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: redis
Version: 5:8.0.0-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for redis.
CVE-2025-48367[0]:
| Redis is an open source, in-memory database that persists on disk.
| An unauthenticated connection can cause repeated IP protocol errors,
| leading to client starvation and, ultimately, a denial of service.
| This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48367
https://www.cve.org/CVERecord?id=CVE-2025-48367
[1] https://github.com/redis/redis/security/advisories/GHSA-4q32-c38c-pwgq
[2]
https://github.com/redis/redis/commit/bde62951accfc4bb0a516276fd0b4b307e140ce2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:7.0.15-1~deb12u5
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 Jul 2025 13:01:37 -0700
Source: redis
Binary: redis redis-sentinel redis-server redis-tools redis-tools-dbgsym
Built-For-Profiles: nocheck
Architecture: source amd64 all
Version: 5:7.0.15-1~deb12u5
Distribution: bookworm-security
Urgency: high
Maintainer: Chris Lamb <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Description:
redis - Persistent key-value database with network interface (metapackage
redis-sentinel - Persistent key-value database with network interface
(monitoring)
redis-server - Persistent key-value database with network interface
redis-tools - Persistent key-value database with network interface (client)
Closes: 1106822 1108975 1108981
Changes:
redis (5:7.0.15-1~deb12u5) bookworm-security; urgency=high
.
* CVE-2025-27151: Fix an stack-based buffer overflow in redis-check-aof
caused by the use of memcpy with strlen(filepath) when copying a
user-supplied file path into a fixed-size stack buffer. This allowed an
attacker to overflow the stack and potentially achieve arbitrary code
execution. (Closes: #1106822)
* CVE-2025-32023: An authenticated user may have used a specially-crafted
string to trigger a stack/heap out-of-bounds write during hyperloglog
operations, potentially leading to remote code execution. Installations
that used Redis' ACL system to restrict hyperloglog "HLL" commands are
unaffected by this issue. (Closes: #1108975)
* CVE-2025-48367: An unauthenticated connection could have caused repeated IP
protocol errors, leading to client starvation and ultimately become a
Denial of Service (DoS) attack. (Closes: #1108981)
Checksums-Sha1:
18a4842a7e7edcb2cce74bfdc44339b9599fd01f 2305 redis_7.0.15-1~deb12u5.dsc
acb9e167a849f2e52c11c119b3f6d075a155a8db 35752
redis_7.0.15-1~deb12u5.debian.tar.xz
47746ad01601dd8792d776b2f1cee0e48c8cfb3f 34244
redis-sentinel_7.0.15-1~deb12u5_amd64.deb
f927d303f747c43a64d99c78b629e2967135d42c 73036
redis-server_7.0.15-1~deb12u5_amd64.deb
734a4248e4bd09ccb1e876831488ca42e723c39c 2781548
redis-tools-dbgsym_7.0.15-1~deb12u5_amd64.deb
58110254c908802e75aa3c5c2110e1dd10b2dc04 990064
redis-tools_7.0.15-1~deb12u5_amd64.deb
32bfb234b609f856eb8b93752a86c79ce066861d 25188 redis_7.0.15-1~deb12u5_all.deb
d1d314a4c5f5e2b951868e67f66f6139ad30f93b 8054
redis_7.0.15-1~deb12u5_amd64.buildinfo
Checksums-Sha256:
3757314faf89ff571d4a4231fd37980e1eaec31077aa2ecf8d7edcefd3b7d65d 2305
redis_7.0.15-1~deb12u5.dsc
e1702e67e26fe8635031e0bb1f4c70715ef977f305bedc49cc8638fae4605871 35752
redis_7.0.15-1~deb12u5.debian.tar.xz
9112e1810c451d9723b6c797f702e526984ad40b14c2d5475dfb96c941c04697 34244
redis-sentinel_7.0.15-1~deb12u5_amd64.deb
6e97c13c2af60a74e0e8bd636c04a6bc20645e2712b40ff9bf147fc43732b1e3 73036
redis-server_7.0.15-1~deb12u5_amd64.deb
10b41e16f485d28b00f81f06302d1756329d18aa0a2a2e74f5a3ab8c5f3d8b95 2781548
redis-tools-dbgsym_7.0.15-1~deb12u5_amd64.deb
64999150bd1227846578f80af90a4a900eab024fb004162dd120b7b70fc5a893 990064
redis-tools_7.0.15-1~deb12u5_amd64.deb
ad610f5b96e4f96dd1808b130bd30c102c2f134e5a45f5759f543e15f2ee3d5f 25188
redis_7.0.15-1~deb12u5_all.deb
9a4144e1da161678c66382f52799533807f75b96023a1774f4f77050c1472356 8054
redis_7.0.15-1~deb12u5_amd64.buildinfo
Files:
30ee6f3fbd0ff5f7b44985fd7cbe59fd 2305 database optional
redis_7.0.15-1~deb12u5.dsc
c864385b8633652a2c3b8df6594db0a7 35752 database optional
redis_7.0.15-1~deb12u5.debian.tar.xz
189f7807dec379075ef1c8b89099c8ef 34244 database optional
redis-sentinel_7.0.15-1~deb12u5_amd64.deb
e478c38b1eb489df52f6c1385476a285 73036 database optional
redis-server_7.0.15-1~deb12u5_amd64.deb
6c8b52b219e7174b1e5c02f0191e174b 2781548 debug optional
redis-tools-dbgsym_7.0.15-1~deb12u5_amd64.deb
1936a64d0a30b8dd45708d3ee38ea9c3 990064 database optional
redis-tools_7.0.15-1~deb12u5_amd64.deb
1189a4b72239d7457477053ee649aee2 25188 database optional
redis_7.0.15-1~deb12u5_all.deb
2b1158a73915a7ff0cad39448d26ad92 8054 database optional
redis_7.0.15-1~deb12u5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmiH5uAACgkQHpU+J9Qx
Hljwdg//dPLtuOpLyK9C/fxAwUIOqQrPfplxUPyPTCEgDtxpoqJgY5wttaiIM+ye
k0m7HZA95QZjLNLCYYQDNuFTsOgCUiJTWo5YipHs/HpApuv9VohZ/eBcVrrpZ9Dq
qfQNdjZhJ5Od9ifA6ZS6UQT8XiARN5GvYl5H0tW2UndkhTqwOaR4IgEoxbmSeaw9
wUqBDqqk1kd7VCT83f8KcsIsSzvDjuJrirpNaB+HY211450IgKXLDCB34AeXH+6Q
LJfQj0lTwNo09NzHNgqVTpU+644N2IfVpjMhPEoLXqshFhHkpDyjqe86WuRXlpIr
nFZ0M502uhdCwhyk2RI+jwQojeudyeaV6D0eUQwWpsM9cOjOFYbCNjAUWiYs9mc+
FMA3N9bYwbL09FUfAkKxQeFnftrb/aaJOwD5dCFoD4mfI4As5Jij5Eh4cJkakZFi
Q/UiFVT0EOh0618pohD3cnrbEFhbX/qZOk+OrvEBxiOF8IazFKEr1wl/Y8UkqErQ
LCzsAO0TqWJEPNeaaoi7yH34JOhN8vTPGCa0bJE71UObBxcuUTVNPZQ/Ihz9RO6Q
gBgSEvpBxC+VyVnmDQ60kZ+79i1GytYu0jOmkqb+EoPMVuSihmfKGq5d/mcPn5Fv
DXIAfzslpfGAI0D4Hj2ZvafJXmaYNIhyWsIy72GlZHwrFhJDZNA=
=bTh8
-----END PGP SIGNATURE-----
pgpZGILJj4pb1.pgp
Description: PGP signature
--- End Message ---
