redis: multiple security issues in Lua scripting (CVE-2018-11218 CVE-2018-11219)

Debian Bug report logs - #901495
redis: multiple security issues in Lua scripting (CVE-2018-11218 CVE-2018-11219)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: submit@bugs.debian.org

Subject: redis: multiple security issues in Lua scripting

Date: Thu, 14 Jun 2018 07:29:49 +0100

Package: redis
Version: 3:3.2.6-1
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

From https://github.com/antirez/redis/issues/5017:

> The Apple Security Team, together with Alibaba and myself,
> identified several security issues in the Lua script engine. The full
> report is here: <http://antirez.com/news/119>

No CVE has (yet) been assigned:

  https://github.com/antirez/redis/issues/5017#issuecomment-397038992

Version tagged >= 3:3.2.6-1 due to stretch having Lua support but
wheezy (2.8.17) does not.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #10 received at 901495-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 901495-close@bugs.debian.org

Subject: Bug#901495: fixed in redis 5:4.0.10-1

Date: Thu, 14 Jun 2018 06:50:29 +0000

Source: redis
Source-Version: 5:4.0.10-1

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 901495@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 Jun 2018 08:37:09 +0200
Source: redis
Binary: redis redis-sentinel redis-server redis-tools
Built-For-Profiles: nocheck
Architecture: source amd64 all
Version: 5:4.0.10-1
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 redis      - Persistent key-value database with network interface (metapackage
 redis-sentinel - Persistent key-value database with network interface (monitoring)
 redis-server - Persistent key-value database with network interface
 redis-tools - Persistent key-value database with network interface (client)
Closes: 901495
Changes:
 redis (5:4.0.10-1) unstable; urgency=medium
 .
   * New upstream security release. See:
     <https://github.com/antirez/redis/issues/5017> for more information.
     (Closes: #901495)
Checksums-Sha1:
 d8110559a87910bee534101489ddf79c16e0e873 2080 redis_4.0.10-1.dsc
 d2738d9b93a3220eecc83e89a7c28593b58e4909 1738465 redis_4.0.10.orig.tar.gz
 9d06c0885ba15566e8423f86a9cff85c540219b1 23892 redis_4.0.10-1.debian.tar.xz
 deb31140353533f7797c861838c7ffb675117255 68276 redis-sentinel_4.0.10-1_amd64.deb
 a15d82e2fc54f63f2fb56c34fa1f297d63c44f6e 93924 redis-server_4.0.10-1_amd64.deb
 0f82b577bc37b17874b82f30b3eb9e4aee434f97 1429828 redis-tools-dbgsym_4.0.10-1_amd64.deb
 612cbfa48827bad995337734efecae75293ae7d6 573484 redis-tools_4.0.10-1_amd64.deb
 5314fe35132fda6684a9dab8ab71eccfb68844ca 61548 redis_4.0.10-1_all.deb
 719fbf8afd10a58aa98468be258435ecf485ec15 6513 redis_4.0.10-1_amd64.buildinfo
Checksums-Sha256:
 5a9f25b65306822094d16e8471f0b8721a547360d1eab3a3cab1f60e0e0bbf0a 2080 redis_4.0.10-1.dsc
 1db67435a704f8d18aec9b9637b373c34aa233d65b6e174bdac4c1b161f38ca4 1738465 redis_4.0.10.orig.tar.gz
 694abc852c501f46af606f78fcef97a9e2baf42271e173f4c44fbf8f1670dcd4 23892 redis_4.0.10-1.debian.tar.xz
 c76762a57dee5b1775b1d26e877b85469756fc6d55953bd915a6be24333747e2 68276 redis-sentinel_4.0.10-1_amd64.deb
 d690725d3e2421782c28c677349f10b300cc30c823693c6a7c5faa8dbfbf8a98 93924 redis-server_4.0.10-1_amd64.deb
 8ce4784a0074ecda14a22e8f5ba8d53649e0e95d8ff3331329866534771658b9 1429828 redis-tools-dbgsym_4.0.10-1_amd64.deb
 008ef02f83ad0a5b03ffa9651eddf577087bcb73b3c69350c559fa85964ef2b5 573484 redis-tools_4.0.10-1_amd64.deb
 51b2dc4092924cffbe58c4d0b8875300969260d1ecff3da27a447a9a44f6c3b5 61548 redis_4.0.10-1_all.deb
 938806b605d53d4f90102deff8d8955bd9dccb76b405c8a613d8b71792dfa57a 6513 redis_4.0.10-1_amd64.buildinfo
Files:
 e02bf96f568d3e528da197fbbaf40df0 2080 database optional redis_4.0.10-1.dsc
 115b82ea07cb4a6f37c5fd86ab5a6d45 1738465 database optional redis_4.0.10.orig.tar.gz
 dd389d665908182c1b5b23b6d85aa8d9 23892 database optional redis_4.0.10-1.debian.tar.xz
 08be9353f31826e9ca5be7f37ce6cf89 68276 database optional redis-sentinel_4.0.10-1_amd64.deb
 89b28a47bb95f08ce85eba0c073e95e3 93924 database optional redis-server_4.0.10-1_amd64.deb
 c03faa7e814ab073f98098ef71420f54 1429828 debug optional redis-tools-dbgsym_4.0.10-1_amd64.deb
 b5f37bf4182b5fa1c882a5e8e78ee715 573484 database optional redis-tools_4.0.10-1_amd64.deb
 e2b39b7605a5157d792fac4d82848ba2 61548 database optional redis_4.0.10-1_all.deb
 49878358877b4b441f159303e24b5a23 6513 database optional redis_4.0.10-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlsiDagACgkQHpU+J9Qx
HlhKghAAvLZQqw7usrCRAov4iXQdvsqZc8+nF7Gv3ru2EEh45de8EZYPasts0LKz
FJ+B3i9rWnZp70coag2eLGWI6rQ3/wiwvLjZHkYHSWQlWIpbDR1pcSLH2sJrkQNb
ZwXUEm8ui3ASt+YrNxKjEz3/LyuIvGGBUnhtXkhZZBN9jTqz2BTvDWTOBs3LUHBd
NmQQSFRv+UrJeSeVED1PSsqgQZMnkjruFTR01MKxbm38NFPkCbdOFNkWN9wjyAp7
vQKCIC01CJTwYx524B6tqcwwmCGwR7dI7i8Rd6ypXEAr2/mFT917h++XzmgM0zaY
OlxpnL9yQb2/mipZN+xhThFvpOXXNsxBWM6f3jqJI/SjRCGZCX4l54jApox41mk1
VeZ7h4U19ePCnQhzrUmo13jhVmgqN+cOuI4lGgtnKCPQywHvih0YVrmnOK00/9+W
9hIGu0mYqP6u+vdcWN7nEXhQpImeZzh6EhIqjsR7oFt2sTdAzvVofNNOjMNA25Gz
ShbkuaiCOy6BaC0YQxDfajQyqw7HgVwASha4aRJj9obb5ZeVU+1Z4AIGWxF56Jtq
6J8dORTiT/YPolugaOgZ+SbnEBLx5v1rIDCAESHj/XzRnit8WQGjhnydZmYUteU0
wQsBXQK2yWa5OBBe78eCzS5/uMTqeBWeIigw/LLG0k0AZ7AXWzw=
=mMW7
-----END PGP SIGNATURE-----

Message #15 received at 901495@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 901495@bugs.debian.org

Subject: Re: redis: multiple security issues in Lua scripting

Date: Thu, 14 Jun 2018 13:26:53 +0100

Hi,

> redis: multiple security issues in Lua scripting

This has now been assigned CVE-2018-11219 & CVE-2018-11218.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #20 received at 901495@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 901495@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: redis: multiple security issues in Lua scripting

Date: Thu, 14 Jun 2018 14:10:27 +0100

[Message part 1 (text/plain, inline)]

Chris Lamb wrote:

> > redis: multiple security issues in Lua scripting
> 
> This has now been assigned CVE-2018-11219 & CVE-2018-11218.

Security team, oermission to upload the attached to
stretch-security?

  redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high

    * CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
      corruption and integer overflow vulnerabilities. (Closes: #901495)

   -- Chris Lamb <lamby@debian.org>  Thu, 14 Jun 2018 15:08:27 +0200


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[901495.diff.txt (text/plain, attachment)]

Message #27 received at 901495@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 901495@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: redis: multiple security issues in Lua scripting

Date: Sat, 16 Jun 2018 08:14:08 +0100

Chris Lamb wrote:

> Security team, oermission to upload the attached to
> stretch-security?
> 
>   redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
> 
>     * CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
>       corruption and integer overflow vulnerabilities. (Closes: #901495)
> 
>    -- Chris Lamb <lamby@debian.org>  Thu, 14 Jun 2018 15:08:27 +0200

Gentle ping on the above? :-)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #32 received at 901495@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Chris Lamb <lamby@debian.org>

Cc: 901495@bugs.debian.org, team@security.debian.org

Subject: Re: redis: multiple security issues in Lua scripting

Date: Sat, 16 Jun 2018 10:43:56 +0200

On Sat, Jun 16, 2018 at 08:14:08AM +0100, Chris Lamb wrote:
> Chris Lamb wrote:
> 
> > Security team, oermission to upload the attached to
> > stretch-security?
> > 
> >   redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
> > 
> >     * CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
> >       corruption and integer overflow vulnerabilities. (Closes: #901495)
> > 
> >    -- Chris Lamb <lamby@debian.org>  Thu, 14 Jun 2018 15:08:27 +0200
> 
> Gentle ping on the above? :-)

I'm flying later the day and will review then.

Cheers,
        Moritz

Message #37 received at 901495@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Chris Lamb <lamby@debian.org>

Cc: 901495@bugs.debian.org, team@security.debian.org

Subject: Re: redis: multiple security issues in Lua scripting

Date: Sat, 16 Jun 2018 16:00:41 +0200

On Thu, Jun 14, 2018 at 02:10:27PM +0100, Chris Lamb wrote:
> Chris Lamb wrote:
> 
> > > redis: multiple security issues in Lua scripting
> > 
> > This has now been assigned CVE-2018-11219 & CVE-2018-11218.
> 
> Security team, oermission to upload the attached to
> stretch-security?
> 
>   redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
> 
>     * CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
>       corruption and integer overflow vulnerabilities. (Closes: #901495)

That looks fine. Please upload (with -sa as redis is new in stretch-security).

For future updates please include the git commit IDs to debian/patches and
add some context where changes were omitted compared to upstream, it makes
it much easier to review changes,

E.g. compared to the fix from the upstream 3.2 branch,
0012-Security-update-Lua-struct-package-for-security.patch misses
a few changes, but they seem like unrelated refactoring.

Did you have a chance to test this? I should be able to test this on a few
live Redis servers, but that would take a few days, so it would be helpful
to know which tests you've done so far.

Also, the Lua code copies are missing in the data/embedded-code-copies
file in the Security Tracker. deps/README.md states

**lua** is Lua 5.1 with minor changes for security and additional libraries.

so I'm wondering we can fix Redis for buster to use the system copy
of Lua? Ideally we could upstream the changes made by antirez (or ideally
he's do that himself?

Cheers,
        Moritz

Message #42 received at 901495@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 901495@bugs.debian.org, team@security.debian.org

Subject: Re: redis: multiple security issues in Lua scripting

Date: Sat, 16 Jun 2018 16:09:04 +0100

Hi Moritz,

> For future updates please include the git commit IDs to debian/patches

Sure. I've added commit IDs to the files in debian/patches and
uploaded redis_3.2.6-3+deb9u1_amd64.changes with those — and no
other! — changes.

> E.g. compared to the fix from the upstream 3.2 branch,
> 0012-Security-update-Lua-struct-package-for-security.patch misses
> a few changes, but they seem like unrelated refactoring.

Indeed; I needed to drop the removal of the lua_State argument as that
would have made it FTBFS.

> Did you have a chance to test this? I should be able to test this on a few
> live Redis servers, but that would take a few days, so it would be helpful
> to know which tests you've done so far.

I've tested using the upstream testsuite, the linked PoC, and a few
random/manual tests of my own using "redis-cli"

> Also, the Lua code copies are missing in the data/embedded-code-copies
> file in the Security Tracker.

Added in:

  https://salsa.debian.org/security-tracker-team/security-tracker/commit/e0c6313b9728dc81f833eae29ac9e5124b4c6eb5

> I'm wondering we can fix Redis for buster to use the system copy
> of Lua?

Good idea. Filed as #901669.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #47 received at 901495@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Chris Lamb <lamby@debian.org>

Cc: 901495@bugs.debian.org, team@security.debian.org

Subject: Re: redis: multiple security issues in Lua scripting

Date: Sun, 17 Jun 2018 18:32:21 +0200

On Sat, Jun 16, 2018 at 04:09:04PM +0100, Chris Lamb wrote:
> Hi Moritz,
> 
> > For future updates please include the git commit IDs to debian/patches
> 
> Sure. I've added commit IDs to the files in debian/patches and
> uploaded redis_3.2.6-3+deb9u1_amd64.changes with those — and no
> other! — changes.

Released as DSA 4230.

> > I'm wondering we can fix Redis for buster to use the system copy
> > of Lua?
> 
> Good idea. Filed as #901669.

Ack, thanks.

Cheers,
        Moritz

Message #52 received at 901495-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 901495-close@bugs.debian.org

Subject: Bug#901495: fixed in redis 3:3.2.6-3+deb9u1

Date: Sun, 24 Jun 2018 16:20:06 +0000

Source: redis
Source-Version: 3:3.2.6-3+deb9u1

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 901495@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 Jun 2018 15:08:27 +0200
Source: redis
Binary: redis-server redis-tools redis-sentinel
Architecture: source amd64
Version: 3:3.2.6-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 redis-sentinel - Persistent key-value database with network interface (monitoring)
 redis-server - Persistent key-value database with network interface
 redis-tools - Persistent key-value database with network interface (client)
Closes: 901495
Changes:
 redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
 .
   * CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
     corruption and integer overflow vulnerabilities. (Closes: #901495)
Checksums-Sha1:
 2c6d029f541e0f6eb15491f9d3c3566b1f37522f 2013 redis_3.2.6-3+deb9u1.dsc
 0c7bc5c751bdbc6fabed178db9cdbdd948915d1b 1544806 redis_3.2.6.orig.tar.gz
 5ca7378156cac0d842c80fc76c86a1f0c62d39e7 38904 redis_3.2.6-3+deb9u1.debian.tar.xz
 96a8f2ee6ab578c5eef69f85eb1e9b732a10fcb1 18476 redis-sentinel_3.2.6-3+deb9u1_amd64.deb
 24275d0221edce2baa1529ac28e55972caf0209b 1038238 redis-server-dbgsym_3.2.6-3+deb9u1_amd64.deb
 eb69917194d7263b91f27f69e51c450a78f43205 412890 redis-server_3.2.6-3+deb9u1_amd64.deb
 f3c7d7700e6c40222bf4d1046b66eb03139aa0cf 1255818 redis-tools-dbgsym_3.2.6-3+deb9u1_amd64.deb
 08fa7f1fa66f554370f9f044e780fdeb26043b34 462498 redis-tools_3.2.6-3+deb9u1_amd64.deb
 f4209192b39afc65d17775bc9a5241d1e28b6ab9 7195 redis_3.2.6-3+deb9u1_amd64.buildinfo
Checksums-Sha256:
 80da262658515878816bc54a91025a19dc908e19e900c20edc05105a5a082762 2013 redis_3.2.6-3+deb9u1.dsc
 2e1831c5a315e400d72bda4beaa98c0cfbe3f4eb8b20c269371634390cf729fa 1544806 redis_3.2.6.orig.tar.gz
 4dd8b850f189a14f506ab2dbd9ec9825ed1d125390281cd4e51dd3a23047a239 38904 redis_3.2.6-3+deb9u1.debian.tar.xz
 bdc22af158b230cd4766f73f227eda22a1cfbc0cdcbce370e6e2bca35a68c264 18476 redis-sentinel_3.2.6-3+deb9u1_amd64.deb
 1bd65e89e6af090127f8046b5628d7bf174d5a02b1a0c2b24877353072bc7583 1038238 redis-server-dbgsym_3.2.6-3+deb9u1_amd64.deb
 6e698e1511719caa5c868e04d7b84f6bb0478c5d79d5660935feace484f123cb 412890 redis-server_3.2.6-3+deb9u1_amd64.deb
 366b7b25147ef54a91f379444b9d55030999f747bd02c66d493ecb1f33d77c62 1255818 redis-tools-dbgsym_3.2.6-3+deb9u1_amd64.deb
 e836f6c21a7d0c9285fd6f6eb5c04cd4f9242ce36370a3665009cf6ccd114fe0 462498 redis-tools_3.2.6-3+deb9u1_amd64.deb
 1be8c36b74ed80ac3dabb5c940dcba0be77c84e7bffa84adc23deb7e9f51116d 7195 redis_3.2.6-3+deb9u1_amd64.buildinfo
Files:
 46211e7014c90c56ef19a874429c73c6 2013 database optional redis_3.2.6-3+deb9u1.dsc
 d0e81d1e19f673fd84d01784bf9fb5f0 1544806 database optional redis_3.2.6.orig.tar.gz
 ac6e30e29dafd9f1065112fc1280dcf1 38904 database optional redis_3.2.6-3+deb9u1.debian.tar.xz
 da7637a773f146ecb621c92223016bfc 18476 database optional redis-sentinel_3.2.6-3+deb9u1_amd64.deb
 350d1395fb7603697cbc406b6a655564 1038238 debug extra redis-server-dbgsym_3.2.6-3+deb9u1_amd64.deb
 9a904651fa902b8c03b3377db76d02d6 412890 database optional redis-server_3.2.6-3+deb9u1_amd64.deb
 57733c799dacbc72b57d971745ff97ad 1255818 debug extra redis-tools-dbgsym_3.2.6-3+deb9u1_amd64.deb
 f5b835645f9f213c6ab026a428870c7c 462498 database optional redis-tools_3.2.6-3+deb9u1_amd64.deb
 367712223162b170b21999718c75f2c5 7195 database optional redis_3.2.6-3+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlslJ7cACgkQHpU+J9Qx
HlhDGQ/9FgaVOid3YEi60DqUTprZlsiNoAOfs0TdvqZ24p3zokZ7oOWUO3Aty3Fn
6GEGsDiao8ZSttgeRXF3k13S8loBRY6ORhKdeIzOv9TQ2tY6zJAIui2XtDx0krF8
Nb4IITgSSTQCLCI6Gu5wZBHly/0Wno8Y6fBozLaZAREkug8BM8i4PwceG5ETN9uM
JVdJmhIRAtmctBaQV5y47ajYdbCrYqJ+P/MR3BYx7I5VyahiCcB82sDHcYXsH7Ji
iMsEo4/oa9T7XxC32p/hdGnNvUTQXeEJ/MhNqy03YfJ9xEFUE79ixp3x7ka4c0Gp
Vulp/QNBbtWkNHodGKtDafoijqST8on6TELtQiUyWIJI9o+JmDkv/MPDjzdkY8hY
nQGIXK71ZmAQku/fWglVSyswEF9Ms9Auc67J/mc0nfzRJYEklLeF0fRpLdjlZwD9
T/BdGIH0B5SnZCYFpflDVHGVaF5diU+8ojPeU+sDpi2QBp5ej9tJ4HGQpedxbKgn
g22u9tpRjzuWfA54BqedPig0FJ4WZBjXxVrU7d0b+XvL7oSGaXqtx5kfWy5yy98P
WwPX0uT13iZZ8smKVB0lqu97AMu4SDQEv/iOdpDeNfYrN1m2aNbP8RmdX4SjPuQQ
0ONy20bnjQc5qojfzhBuw3GowCfoRiL+Y0EnqCEoMkAHQAEd2L0=
=pdQL
-----END PGP SIGNATURE-----

Message #57 received at 901495-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 901495-close@bugs.debian.org

Subject: Bug#901495: fixed in redis 3:3.2.6-3+deb9u2

Date: Sun, 24 Jun 2018 16:20:13 +0000

Source: redis
Source-Version: 3:3.2.6-3+deb9u2

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 901495@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 18 Jun 2018 19:12:58 +0200
Source: redis
Binary: redis-server redis-tools redis-sentinel
Built-For-Profiles: nocheck
Architecture: source amd64
Version: 3:3.2.6-3+deb9u2
Distribution: stretch
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 redis-sentinel - Persistent key-value database with network interface (monitoring)
 redis-server - Persistent key-value database with network interface
 redis-tools - Persistent key-value database with network interface (client)
Closes: 850534 880474 901495
Changes:
 redis (3:3.2.6-3+deb9u2) stretch; urgency=medium
 .
   * Correct RunTimeDirectory -> RuntimeDirectory typo in systemd .service
     files. (Closes: #850534, #880474)
 .
 redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
 .
   * CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
     corruption and integer overflow vulnerabilities. (Closes: #901495)
Checksums-Sha1:
 f2ff97c5aca201e7121e045467346703e22578ad 2013 redis_3.2.6-3+deb9u2.dsc
 0c7bc5c751bdbc6fabed178db9cdbdd948915d1b 1544806 redis_3.2.6.orig.tar.gz
 05dc32ad1687b5cbf63f6991c87dac0617c5bcea 38952 redis_3.2.6-3+deb9u2.debian.tar.xz
 a7f99638c2153d735413c1881ddb22e38ef95a20 18520 redis-sentinel_3.2.6-3+deb9u2_amd64.deb
 924866e7270d9124ac0cd4915cd9394e933c657e 1038240 redis-server-dbgsym_3.2.6-3+deb9u2_amd64.deb
 2be0ad58c1f791fd4478e1db04a96e3e5d4ca878 412640 redis-server_3.2.6-3+deb9u2_amd64.deb
 016c4fe02b025c8cc42751e7f9f7c2865d05f3a0 1255814 redis-tools-dbgsym_3.2.6-3+deb9u2_amd64.deb
 db5c19e572a644779772f4e749c947024aa2b152 462686 redis-tools_3.2.6-3+deb9u2_amd64.deb
 af8e619f6a4b507f27efef23ac4f2835edfeed25 7210 redis_3.2.6-3+deb9u2_amd64.buildinfo
Checksums-Sha256:
 4edd6de71bdb0c409723ef6d4d808dc84f5615ce897e4cc958527280d1f8174b 2013 redis_3.2.6-3+deb9u2.dsc
 2e1831c5a315e400d72bda4beaa98c0cfbe3f4eb8b20c269371634390cf729fa 1544806 redis_3.2.6.orig.tar.gz
 f1f9a05c90e72a7c0f8e343ebec93ce43cc0fafae54379d78941f1b2e13487f5 38952 redis_3.2.6-3+deb9u2.debian.tar.xz
 d7f29e2f0b6c11ea9ff663070a5f4c1e62d89a2be67885913bc9351d1da738bc 18520 redis-sentinel_3.2.6-3+deb9u2_amd64.deb
 5adbdfd9e1514f2f428121bf5e9de11bf3090a1e6efa2213e5c1390ff1b42b47 1038240 redis-server-dbgsym_3.2.6-3+deb9u2_amd64.deb
 097ecb62420b47deb78629cf00b15ebba6216078006f3a88a21bf55a5d1e9154 412640 redis-server_3.2.6-3+deb9u2_amd64.deb
 467a4f69f9258aba1b487955a3c507ad788a23140be1d2a4856911026a608244 1255814 redis-tools-dbgsym_3.2.6-3+deb9u2_amd64.deb
 061da861c506626b54ab648f6120e96818ff423faa08c469ee8e44aaca87d2e5 462686 redis-tools_3.2.6-3+deb9u2_amd64.deb
 b9b073e8ead040ebdb7bb7d2529c0800ecbb2fdfd5d7d2bbacbf770ac6c3cc0c 7210 redis_3.2.6-3+deb9u2_amd64.buildinfo
Files:
 2fa9e1c426d6be642f9dba8a09cdd2a3 2013 database optional redis_3.2.6-3+deb9u2.dsc
 d0e81d1e19f673fd84d01784bf9fb5f0 1544806 database optional redis_3.2.6.orig.tar.gz
 026fbbd264a21b6734dc88b3a43daf4d 38952 database optional redis_3.2.6-3+deb9u2.debian.tar.xz
 4d9ff924f466a21f1e8c56fe4dd83fc9 18520 database optional redis-sentinel_3.2.6-3+deb9u2_amd64.deb
 c3950ce82c25c032ffef0b1a83840df0 1038240 debug extra redis-server-dbgsym_3.2.6-3+deb9u2_amd64.deb
 354a98f70238bc81d9a32651379acf93 412640 database optional redis-server_3.2.6-3+deb9u2_amd64.deb
 d1797a2541cf12277fa62129a3b55e17 1255814 debug extra redis-tools-dbgsym_3.2.6-3+deb9u2_amd64.deb
 f261e29b2e318f68bedd0331ecdb349f 462686 database optional redis-tools_3.2.6-3+deb9u2_amd64.deb
 6896f714444576ba71906b8528b2fa87 7210 database optional redis_3.2.6-3+deb9u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlsn6p8ACgkQHpU+J9Qx
HljYCg/+NFlpDA5q52Ha0QVA2BpbBH+dkS34Ez3U+pA1DpHFth+gzGUQmh8GH+d7
xxA1nnUphZMEJs9P71sSMTeGfGNHrdz6t3cEEmCAqTXw43zCB6FPET8VsU64cG2r
DOLISKw2ozfkqu11hUQUX02mVrCCqJyyFfJs79vVE7HBeviCSoTTlPSCALtToRjg
ESHjfJ3wbZEDlofw+/yxAN0mF9MfkLALHbTGH0vaeIBu/DH/G2MxJtRWB6yTWyNH
do0WBVvWQDf+XzGdNkmDGu4CRzO7AyQpq62TZHQjsR8MfQRwcJTpVNht8XvacDTU
OipbhV24B9d5RTASXqTQDyBfd8dSCsEKKhrDg6x17cK0+Gknm0kmr51PYLO2WU4b
RG9xj4iEetKOCkgNSlOz5413Ot+thdSgMIs0zLcXgxHaom+DRqwo42mHIXvze7FQ
udzlFOXJ/f/jhrDgupeiAfbdaii1VZNE8wMZl8fWKF3P7LCDfq2s92oaWwyLrShr
iMSYF3araLSBf9BhVQm0L/+BQNQIO6z1WnZVHSY91Sri50nYhr/47rbrobWL4v2b
kFrDm3+no/3wCIRoJR2RyyIOBwdlkxT8mDzuH4lPv7usX+y9X6IoYtP3+vj/YO49
r8mUrtV5noBzn3mFdT9YNE3ZdPiUx2GtTM5cxyIMR70XbtRn59E=
=FLcX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.