Debian Bug report logs -
#988045
redis: CVE-2021-29477 & CVE-2021-29478
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Tue, 4 May 2021 08:36:02 UTC
Severity: grave
Tags: security
Found in version redis/5:6.0.12-1
Fixed in versions redis/5:6.0.13-1, redis/5:6.2.3-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Chris Lamb <lamby@debian.org>:
Bug#988045; Package redis.
(Tue, 04 May 2021 08:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Chris Lamb <lamby@debian.org>.
(Tue, 04 May 2021 08:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: redis
Version: 3:3.2.6-3+deb9u3
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for redis.
CVE-2021-29477[0]:
Vulnerability in the STRALGO LCS command
CVE-2021-29478[1]:
Vulnerability in the COPY command for large intsets
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-29477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29477
[1] https://security-tracker.debian.org/tracker/CVE-2021-29478
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29478
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 04 May 2021 10:06:06 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 04 May 2021 10:06:06 GMT) (full text, mbox, link).
Message #10 received at 988045-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 5:6.2.3-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988045@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 May 2021 11:00:25 +0100
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:6.2.3-1
Distribution: experimental
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 988045
Changes:
redis (5:6.2.3-1) experimental; urgency=medium
.
* New upstream security release:
- CVE-2021-29477: Vulnerability in the STRALGO LCS command.
- CVE-2021-29478: Vulnerability in the COPY command for large intsets.
(Closes: #988045)
* Refresh patches.
Checksums-Sha1:
44542c4195cfbd0feb495a5a3c3ba547e962003d 2266 redis_6.2.3-1.dsc
97677eff0c3feef4f5a81f4f18140f5446a142b2 2479034 redis_6.2.3.orig.tar.gz
4254d91808e293668305030be823bf9d8b29b32a 27280 redis_6.2.3-1.debian.tar.xz
daa870f7350e2b624f78921b2e5bf33e840369f5 7288 redis_6.2.3-1_amd64.buildinfo
Checksums-Sha256:
e7bcadea10364e146c6a0e74db48e151c31328c3eab6e8a348659a6bedf9a23c 2266 redis_6.2.3-1.dsc
0a3df8ec14bf1e4f91a32d1dd1742a1573a906d72308fe8ce7b652800273fee1 2479034 redis_6.2.3.orig.tar.gz
a5cc6293ead23c52958263c393b5e331fb84b4074201b000c21dcbfd887b9760 27280 redis_6.2.3-1.debian.tar.xz
b3036360248c642a04862ebddade4ff50830ff02c2c869fbd562fd164045d131 7288 redis_6.2.3-1_amd64.buildinfo
Files:
81107cd3637e641e162242061c7d4f06 2266 database optional redis_6.2.3-1.dsc
03c829e1f0755638963e473847d4ceaf 2479034 database optional redis_6.2.3.orig.tar.gz
8d1b9581be37c21ad1321603665f7d36 27280 database optional redis_6.2.3-1.debian.tar.xz
4f1e0825cb755537a38dd978d185e397 7288 database optional redis_6.2.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCRG4MACgkQHpU+J9Qx
HljjRg/9H/cWnfsyJ3pbsd/uEHtrlXryXEQcgixjXz8CFydAum96ObVllWrUDNjS
E8fnk26i1xeIlovPPaeb2LaHIoeownN5WrQGApldQ+8drf2teEkn/EGKS5D1YnVc
XFe2/giDQfti9NbJ54wpv5pvgJhYBA6DS+Ai6rvBrshCQ2Ua6s9JWFCCAO8vJMQ5
NaQMDyPDzWMrl9DNpHC41OQDc+hwzbx9BNH4w1hIL7Yk2N9pgxMp2aFYx2PuA8Yt
zEFtpOJ+K13FJUS8R7XzDN6i+KsyD1+uMb4qy5cG6rJSdcYiW4U02PBgLlayjvd3
dGgNCPUYdxsUqZDlMTGI8xmZZYltje/58PaaIyXG7pQ2JcLVhbh8IA2Xqlba7Rjy
iZUyppGnHpXtRs6B6IragjGQdlX4w3kPVANuC0duKsOsd5ZbpfnMFGr2bHiD1ZQG
EUFKyAGPiQ6Cl+8ELY5jLnsiCZSfIEkVyKN9tN24EOTUIXF5zlQFKI1mzV3PZ6do
0kU1op9ychGwsRgFCDIgfKDUM3fowkV6oTynJJGEDVQBG0/e5HXxTY4KiUMn5MjR
3lqrJx0/VCGgB5GLTHSry2M3CS7T6UyhX6+OEZ9Yvq+/hLIpTH6h6j8MDyagE/5I
33B2h8GVEjaipbBWaIEw/ad5HU5q+8ewpeYieSOJU27Bu/jn30g=
=IF8j
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 04 May 2021 10:21:03 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 04 May 2021 10:21:03 GMT) (full text, mbox, link).
Message #15 received at 988045-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 5:6.0.13-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988045@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 May 2021 11:06:14 +0100
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:6.0.13-1
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 988045
Changes:
redis (5:6.0.13-1) unstable; urgency=medium
.
* New upstream security release:
- CVE-2021-29477: Vulnerability in the STRALGO LCS command.
- CVE-2021-29478: Vulnerability in the COPY command for large intsets.
(Closes: #988045)
* Refresh patches.
Checksums-Sha1:
b791442f9aaf91badf52b24916fea98130c4b3f5 2264 redis_6.0.13-1.dsc
a2b136073badd407575ddd8e66b0622a0393b918 2297613 redis_6.0.13.orig.tar.gz
27e8e64ebfb712ab81c7a5d5c83fd9f61ba16f8c 29072 redis_6.0.13-1.debian.tar.xz
549c11b6d05bf00612bf24e1e2f4cc1149ddcf2a 7307 redis_6.0.13-1_amd64.buildinfo
Checksums-Sha256:
5595b5d50be6ad7fa062591558a4eb16edb33a0075733e711998424a7adb15b8 2264 redis_6.0.13-1.dsc
e6b66c8bde338cda2080bee170ec277e863816b359145b916094a3f8c3fea232 2297613 redis_6.0.13.orig.tar.gz
d5e4578e7b08821c94c766b708955c22b32a7dbbf563cc2f443c88f00218522b 29072 redis_6.0.13-1.debian.tar.xz
45cd3d1b2ad904bbc5d4f2c66db95895f1484a9d649e80504a457efe221f42e1 7307 redis_6.0.13-1_amd64.buildinfo
Files:
5ef5dab20ce981d115f59df6ef11f671 2264 database optional redis_6.0.13-1.dsc
e49209f00e11c48fb85fd4ddfa09b14c 2297613 database optional redis_6.0.13.orig.tar.gz
37044855952643cd3eceda01bb481ef4 29072 database optional redis_6.0.13-1.debian.tar.xz
0dd4c1abf8e728701e67e2d48af3d34e 7307 database optional redis_6.0.13-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCRHPUACgkQHpU+J9Qx
HlgLiA//RIvwiwm2w/ueAnEAkZrgPtHh/thpWS2SYKaHDkRy92/j1dTcS8eJEVqF
uVYorRkGUr21+UEwLKYHYV5udxr+3ZXiP7iZFb2z7lNdRn17MkfJq9O5Kkq6C59l
UYHCt4cQsmlGcGQhWF/UxnlpIjroIL5Q1L/MlIgLbFa5QpSjJeDgwstoyo8Sdz7b
pOvnvVrzyUCpK8fiouaOG9QBaGxznJyoDWAPXAfvFqFpMLnobXt8O+EPH9RhLuql
brm+21peqA1mvQiPt9cijmCr8qlKT1UiBQVd3Fyl9qMIreWH6zZl0LvZVV/j28xx
O3dNHy1rDD/xkJTrDFZeg4Djz/0RbGqZBhBvtrnZEC1n6ba3BLBp07iu+HaCdeXB
xFzgYuljmFXw2z2R9LwZra8RqM89FH/zMbLMMXRyryzDJUC2LNY352rqHk1pyZhk
RDa8NLYRf5TJ9zNwbu/yfYXHXqay6UyJog11PgglaCyagcAWpm0L7kOZRoXDGaAZ
jCg3GLrsVkQYfS/YwAD9svhDVY7yh72uNzmiawJMg2zTG4STDCKHhxFbi6lgkYGr
z32omo39TmvuELDB54VmWGi3ZXm8DRR1HKnpeK/E5rluI5xGyG9DyWAhzQcOmJDM
oMO1yALyatWN+fm6PeXGvPhJRRxz35Sszj7DLyCFiWULpSR1jZg=
=fRMc
-----END PGP SIGNATURE-----
Marked as found in versions redis/5:6.0.12-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 May 2021 10:39:03 GMT) (full text, mbox, link).
No longer marked as found in versions 3:3.2.6-3+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 May 2021 17:03:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 5 08:08:20 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon