I've attached a debdiff that upgrades the package from 2.8.4, released in Jan 2014, to 2.8.24, which was released in Dec 2015.
The most crucial change is the critical fix for the CVE mentioned in this thread, which was introduced in redis 2.8.21. Between 2.8.4 and 2.8.24, 6 updates are marked CRITICAL urgency and 12 updates are marked HIGH urgency. These versions appear to be compatible except for a minor API modification introduced in 2.8.14: "* [NEW] **WARNING, minor API change**: PUBSUB NUMSUB: return type modified to integer. (Matt Stancliff)" Debian has included this change in their stable updates, however. The dependecy on jemalloc was upgraded to jemalloc 3.6.0 as of redis 2.8.12. It is probably wise to sync down jemalloc 3.6.0 from Debian jessie: https://packages.debian.org/source/jessie/jemalloc (I understand this suggestion should be filed as a separate report on the jemalloc launchpad). Currently jemalloc 3.5.1 is in the trusty repos; 3.6.0 claims to provide an important fix for a crasher and should probably be brought down, but doesn't appear to introduce any modifications that would affect redis's functionality. "make test" runs without issue. All tests pass. I am running the binaries built from this package without issue now. This upgrade is badly needed. CVE-2015-4335 is being actively exploited in the wild. Please let me know what else is needed to proceed. ** Attachment added: "debdiff redis 2.8.4-2 -> 2.8.24-1" https://bugs.launchpad.net/ubuntu/+source/redis/+bug/1467606/+attachment/4784944/+files/redis.debdiff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1467606 Title: EVAL Lua Sandbox Escape (CVE-2015-4335 / DSA-3279) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/redis/+bug/1467606/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
