Thanks for the debdiff! Unfortunately, as mentioned earlier, going from
2.8.4 to 2.8.24 is too intrusive to be sponsored by the security team.
There is no way for us to adequately test how such a big version bump
will affect other packages in the archive that depend on redis, or
adequately test how
Right. I'm not convinced that it's _needed_ but it can be done indeed.
Though, I'm not personally up to sponsor it.
Besides, I'd rather see this bug only about the CVE; if anybody wants to
provide a minimal patch for it, and follow the SRU procedure (which includes
testing once it reaches prop
As a long-time user of both Ubuntu and Debian, I understand that
typically, new major upstream versions do not get inserted into stable
releases. My personal experience is that microversion bumps are
frequently brought into the stable releases, and section 2.3 of the
linked page seems to describe t
So, this bug affects only trusty.
The point is, during SRU you can't upgrade a package like redis to a whole new
upstream release, but rather you should cherry-pick the relevant patch (like
https://github.com/lamby/pkg-redis/commit/c2b56ef2d39bd681b3f98cd97354790ac19a1ce5).
See:
http://wiki.ubun
** Changed in: redis (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1467606
Title:
EVAL Lua Sandbox Escape (CVE-2015-4335 / DSA-3279)
To manage notificati
The attachment "debdiff redis 2.8.4-2 -> 2.8.24-1" seems to be a
debdiff. The ubuntu-sponsors team has been subscribed to the bug report
so that they can review and hopefully sponsor the debdiff. If the
attachment isn't a patch, please remove the "patch" flag from the
attachment, remove the "patc
(no longer expired per #3)
** Changed in: redis (Ubuntu)
Status: Expired => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1467606
Title:
EVAL Lua Sandbox Escape (CVE-2015-4335 / DSA-3279
I've attached a debdiff that upgrades the package from 2.8.4, released
in Jan 2014, to 2.8.24, which was released in Dec 2015.
The most crucial change is the critical fix for the CVE mentioned in
this thread, which was introduced in redis 2.8.21. Between 2.8.4 and
2.8.24, 6 updates are marked CRIT
[Expired for redis (Ubuntu) because there has been no activity for 60
days.]
** Changed in: redis (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1467606
T
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is availabl
10 matches
Mail list logo
