Debian Bug report logs -
#1051512
redis: CVE-2023-41053
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 8 Sep 2023 21:03:04 UTC
Severity: important
Tags: security, upstream
Found in version redis/5:7.0.12-2
Fixed in versions redis/5:7.0.13-1, redis/5:7.2.1-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Chris Lamb <lamby@debian.org>:
Bug#1051512; Package src:redis.
(Fri, 08 Sep 2023 21:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Chris Lamb <lamby@debian.org>.
(Fri, 08 Sep 2023 21:03:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: redis
Version: 5:7.0.12-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for redis.
CVE-2023-41053[0]:
| Redis is an in-memory database that persists on disk. Redis does not
| correctly identify keys accessed by `SORT_RO` and as a result may
| grant users executing this command access to keys that are not
| explicitly authorized by the ACL configuration. The problem exists
| in Redis 7.0 or newer and has been fixed in Redis 7.0.13 and 7.2.1.
| Users are advised to upgrade. There are no known workarounds for
| this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-41053
https://www.cve.org/CVERecord?id=CVE-2023-41053
[1] https://github.com/redis/redis/commit/0f14d3279212e1b262869b6160db87d6f117cff5
[2] https://github.com/redis/redis/security/advisories/GHSA-q4jr-5p56-4xwc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Fri, 08 Sep 2023 21:24:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 08 Sep 2023 21:24:06 GMT) (full text, mbox, link).
Message #10 received at 1051512-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 5:7.0.13-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1051512@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 08 Sep 2023 14:04:13 -0700
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.13-1
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1051512
Changes:
redis (5:7.0.13-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2023-41053: Redis did not correctly identify keys accessed by
`SORT_RO`, and as a result Redis may grant users executing this command
access to keys that are not explicitly authorized by the ACL
configuration. (Closes: #1051512)
.
<https://raw.githubusercontent.com/redis/redis/7.2/00-RELEASENOTES>
.
* Refresh patches.
Checksums-Sha1:
32123c650dd9e2d4fd2c31acc040544ae2c6b447 2273 redis_7.0.13-1.dsc
74dabcac4d0e4d3880134f70277259a7e72688e5 3024891 redis_7.0.13.orig.tar.gz
da1455af96bc79061b1cd9f7ccef6947076b8044 28764 redis_7.0.13-1.debian.tar.xz
ac7cb9e58f7bba99533967232ac4569c94af816c 7585 redis_7.0.13-1_amd64.buildinfo
Checksums-Sha256:
29221fd0b9bbc7e8dcc7688843ce39fd8b65d5d967f19d2d762f5d23332ca2dd 2273 redis_7.0.13-1.dsc
7fde08f9e66c030c68246616e59e8e1435d481a147a885c5de7a9d9a76ac2a55 3024891 redis_7.0.13.orig.tar.gz
e721977648a1e03117dc1256139b5cb5480952596e652d583bc89c94a87f228d 28764 redis_7.0.13-1.debian.tar.xz
d82bd304b613b9edb7e24f5bc872e57966ae77a6dd4e25aa193a115f24106955 7585 redis_7.0.13-1_amd64.buildinfo
Files:
c343cf5a1e06c5065087549e3e2d04b4 2273 database optional redis_7.0.13-1.dsc
dbf21949daa1f31862080f510f2f16e4 3024891 database optional redis_7.0.13.orig.tar.gz
f7b74b7def2b714a20e0da8e7bf507bd 28764 database optional redis_7.0.13-1.debian.tar.xz
08c2a5e2af39a52b3665acb93ba9a1fe 7585 database optional redis_7.0.13-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmT7jcsACgkQHpU+J9Qx
HljlURAAtaBYBTJxSZtBeQFjQcJ1u3TUfy0FGcPtD/TSvC6gFlZIl9JJ7ICqf7rz
v7Xw543e3Z8suZAfWabghN14E1ZjsrreZVY0M8XE9Qqvave2y0+J3a5uU5JhQJLK
u1bC3Jq+nd73bbdxuKpfcENE8GxdxnXM9Pw3k/c75eK1CEja3qj5nGu9ORSKjpCq
OvVhaRXPn65t3z5sqmXzLiqsaACPFXT94pdTh/qtpg45G6MNGSCEpY05sVvwVy4Z
hBIJl5Ut8INkD+ndVxauScPzTB6As4bPcUOu4ZJfiZHvjkKSWUaxhf3uvySSwYNC
1ankmf0RcBFsLy/i+fwG7yAv5J8yPi2O/150e2W5Ek98upvK1qdMS1S+iwKX9COp
FWC05UmfnAF8yhtrBha8gtXchXDG80GGc/d4VOKvYdKdY4GtyWA6/JjfZGu6OS0i
lgYEtmZhde/FjlX+IYzg+XqYJQwALxVOWGn9f3gT+MLrdUnC3k9Sojamp3gKE9EZ
ZAMGBy7nYzAz3JnYfjnupazOLTZmu/H5lJ/jFjxd2LMbdxIVWpyIWgD73Mgxmbv+
QhdI8gSRkFYR+Qhq7lJt8Fc00WpqQgvg0cfP6kFKdFg5QzjmnbhMkFQQZBt+AM22
vUaAwibeMiEcu75NghNxhewpCtU4AQhE31Ia9BW3ZsTRDIAgf20=
=r3mr
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Fri, 08 Sep 2023 21:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 08 Sep 2023 21:39:03 GMT) (full text, mbox, link).
Message #15 received at 1051512-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 5:7.2.1-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1051512@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 08 Sep 2023 14:13:40 -0700
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.2.1-1
Distribution: experimental
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1051512
Changes:
redis (5:7.2.1-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2023-41053: Redis did not correctly identify keys accessed by
`SORT_RO`, and as a result Redis may grant users executing this command
access to keys that are not explicitly authorized by the ACL
configuration. (Closes: #1051512)
.
<https://raw.githubusercontent.com/redis/redis/7.2/00-RELEASENOTES>
Checksums-Sha1:
bae65294d351c6f4656575dba00103f5e8d80c94 2231 redis_7.2.1-1.dsc
48012488be2baa56c13181373f681acb9bb91a10 3421236 redis_7.2.1.orig.tar.gz
68ce25135c043ff46d02f4ec8d49a16fa0d1a86f 28648 redis_7.2.1-1.debian.tar.xz
46145ee4164145b0bb00c5fad94041694f0ae82b 7569 redis_7.2.1-1_amd64.buildinfo
Checksums-Sha256:
d1714fa250424b8a48bfb498169fe14f18a65d1f0ce82ca92a586f9530735726 2231 redis_7.2.1-1.dsc
67866151542e2019b37d6dc2099e4268314a4f6a13c0c2acaf4407010eee2dc9 3421236 redis_7.2.1.orig.tar.gz
a33c3ecccf192c51d1e0cb8ba201924ea3d317a8db2802165e7d7ad71c9cfae2 28648 redis_7.2.1-1.debian.tar.xz
1e7457fbf1498b8f6988cf6418f2467b82144bf7ee445b4b745f0829ebbadd63 7569 redis_7.2.1-1_amd64.buildinfo
Files:
0cfd28f82feefda7cd7d3b119d5a897f 2231 database optional redis_7.2.1-1.dsc
6a13c10a3694705b4ab6fde5bb6cdd6c 3421236 database optional redis_7.2.1.orig.tar.gz
467e11d3174ee72de867526903d87720 28648 database optional redis_7.2.1-1.debian.tar.xz
cadfc22a6cbdf6f9bef6f7fa45fbbc2a 7569 database optional redis_7.2.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmT7kJsACgkQHpU+J9Qx
HlgBmw/+JcLEVQGZfz3HnIeO1zGyFMVRsR4StVG7i219Ae4xU8qxJmJudhjy9IHA
QLs88XvaKZa3AI1MnL7q8WDFNq0hJzvvehe+UvWEF9dqfh98nDGXyu17bXhHKl3L
JLYWlhd2f9B/e/BPhqIcqk/rSc6w420ZW6zQVuL92dYUpjkAR1GFIFQkLQNb5NiD
SRe6OO35OGHLFcDLm4tRs+FzQcE7P6V54Ze4XXfVXRGYJDMXBDsIIz3ex86NoToW
dLPAT0lO5s9HCAYU20LaIEhMC1WX6hw3JYypg4O5ha0yf6PJKSDLEmw8VOmb9Xr6
A5IHtfF2DE+Rx71c/YnQqwpicYsxDem9sqgM1eUB1GLzOB0+m+Z08cFCq9uTqXNu
9VVjB9u2/3ZkTiEDb0QVR46+SVfZmqw9jzcxx37EYs5vWOK4nbnEzPL9s0XR8+gm
tmKlTBZtJiNjUw11+AgzDOI/3MIAfMO/msllSPunNodSU/v8NYvhxQaKpxjNB90m
R1IBu4TIBn8Pizgu6RcUZS3FyAWk14jTw8UM9tgrb8VNvjTDhndaoLjEDYRax94L
gkJvvdjjPakpfYuAOiW9nhHXElItTu4CKnLJUzGNUEASeL1UOADMgFULOmwfuva2
qcWN9uOayrmH2RcQrk1mrBbWv5DojVzwDBGPfppxaW/5IhcDWQw=
=MSnw
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Sep 9 17:51:25 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon