Debian Bug report logs -
#901495
redis: multiple security issues in Lua scripting (CVE-2018-11218 CVE-2018-11219)
Reported by: Chris Lamb <lamby@debian.org>
Date: Thu, 14 Jun 2018 06:33:01 UTC
Severity: grave
Tags: security
Found in version 3:3.2.6-1
Fixed in versions redis/5:4.0.10-1, redis/3:3.2.6-3+deb9u1, redis/3:3.2.6-3+deb9u2
Done: Chris Lamb <lamby@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org
:
Bug#901495
; Package redis
.
(Thu, 14 Jun 2018 06:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org
.
(Thu, 14 Jun 2018 06:33:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: redis
Version: 3:3.2.6-1
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
From https://github.com/antirez/redis/issues/5017:
> The Apple Security Team, together with Alibaba and myself,
> identified several security issues in the Lua script engine. The full
> report is here: <http://antirez.com/news/119>
No CVE has (yet) been assigned:
https://github.com/antirez/redis/issues/5017#issuecomment-397038992
Version tagged >= 3:3.2.6-1 due to stretch having Lua support but
wheezy (2.8.17) does not.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>
:
You have taken responsibility.
(Thu, 14 Jun 2018 06:54:06 GMT) (full text, mbox, link).
Notification sent
to Chris Lamb <lamby@debian.org>
:
Bug acknowledged by developer.
(Thu, 14 Jun 2018 06:54:06 GMT) (full text, mbox, link).
Message #10 received at 901495-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 5:4.0.10-1
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901495@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 14 Jun 2018 08:37:09 +0200
Source: redis
Binary: redis redis-sentinel redis-server redis-tools
Built-For-Profiles: nocheck
Architecture: source amd64 all
Version: 5:4.0.10-1
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
redis - Persistent key-value database with network interface (metapackage
redis-sentinel - Persistent key-value database with network interface (monitoring)
redis-server - Persistent key-value database with network interface
redis-tools - Persistent key-value database with network interface (client)
Closes: 901495
Changes:
redis (5:4.0.10-1) unstable; urgency=medium
.
* New upstream security release. See:
<https://github.com/antirez/redis/issues/5017> for more information.
(Closes: #901495)
Checksums-Sha1:
d8110559a87910bee534101489ddf79c16e0e873 2080 redis_4.0.10-1.dsc
d2738d9b93a3220eecc83e89a7c28593b58e4909 1738465 redis_4.0.10.orig.tar.gz
9d06c0885ba15566e8423f86a9cff85c540219b1 23892 redis_4.0.10-1.debian.tar.xz
deb31140353533f7797c861838c7ffb675117255 68276 redis-sentinel_4.0.10-1_amd64.deb
a15d82e2fc54f63f2fb56c34fa1f297d63c44f6e 93924 redis-server_4.0.10-1_amd64.deb
0f82b577bc37b17874b82f30b3eb9e4aee434f97 1429828 redis-tools-dbgsym_4.0.10-1_amd64.deb
612cbfa48827bad995337734efecae75293ae7d6 573484 redis-tools_4.0.10-1_amd64.deb
5314fe35132fda6684a9dab8ab71eccfb68844ca 61548 redis_4.0.10-1_all.deb
719fbf8afd10a58aa98468be258435ecf485ec15 6513 redis_4.0.10-1_amd64.buildinfo
Checksums-Sha256:
5a9f25b65306822094d16e8471f0b8721a547360d1eab3a3cab1f60e0e0bbf0a 2080 redis_4.0.10-1.dsc
1db67435a704f8d18aec9b9637b373c34aa233d65b6e174bdac4c1b161f38ca4 1738465 redis_4.0.10.orig.tar.gz
694abc852c501f46af606f78fcef97a9e2baf42271e173f4c44fbf8f1670dcd4 23892 redis_4.0.10-1.debian.tar.xz
c76762a57dee5b1775b1d26e877b85469756fc6d55953bd915a6be24333747e2 68276 redis-sentinel_4.0.10-1_amd64.deb
d690725d3e2421782c28c677349f10b300cc30c823693c6a7c5faa8dbfbf8a98 93924 redis-server_4.0.10-1_amd64.deb
8ce4784a0074ecda14a22e8f5ba8d53649e0e95d8ff3331329866534771658b9 1429828 redis-tools-dbgsym_4.0.10-1_amd64.deb
008ef02f83ad0a5b03ffa9651eddf577087bcb73b3c69350c559fa85964ef2b5 573484 redis-tools_4.0.10-1_amd64.deb
51b2dc4092924cffbe58c4d0b8875300969260d1ecff3da27a447a9a44f6c3b5 61548 redis_4.0.10-1_all.deb
938806b605d53d4f90102deff8d8955bd9dccb76b405c8a613d8b71792dfa57a 6513 redis_4.0.10-1_amd64.buildinfo
Files:
e02bf96f568d3e528da197fbbaf40df0 2080 database optional redis_4.0.10-1.dsc
115b82ea07cb4a6f37c5fd86ab5a6d45 1738465 database optional redis_4.0.10.orig.tar.gz
dd389d665908182c1b5b23b6d85aa8d9 23892 database optional redis_4.0.10-1.debian.tar.xz
08be9353f31826e9ca5be7f37ce6cf89 68276 database optional redis-sentinel_4.0.10-1_amd64.deb
89b28a47bb95f08ce85eba0c073e95e3 93924 database optional redis-server_4.0.10-1_amd64.deb
c03faa7e814ab073f98098ef71420f54 1429828 debug optional redis-tools-dbgsym_4.0.10-1_amd64.deb
b5f37bf4182b5fa1c882a5e8e78ee715 573484 database optional redis-tools_4.0.10-1_amd64.deb
e2b39b7605a5157d792fac4d82848ba2 61548 database optional redis_4.0.10-1_all.deb
49878358877b4b441f159303e24b5a23 6513 database optional redis_4.0.10-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlsiDagACgkQHpU+J9Qx
HlhKghAAvLZQqw7usrCRAov4iXQdvsqZc8+nF7Gv3ru2EEh45de8EZYPasts0LKz
FJ+B3i9rWnZp70coag2eLGWI6rQ3/wiwvLjZHkYHSWQlWIpbDR1pcSLH2sJrkQNb
ZwXUEm8ui3ASt+YrNxKjEz3/LyuIvGGBUnhtXkhZZBN9jTqz2BTvDWTOBs3LUHBd
NmQQSFRv+UrJeSeVED1PSsqgQZMnkjruFTR01MKxbm38NFPkCbdOFNkWN9wjyAp7
vQKCIC01CJTwYx524B6tqcwwmCGwR7dI7i8Rd6ypXEAr2/mFT917h++XzmgM0zaY
OlxpnL9yQb2/mipZN+xhThFvpOXXNsxBWM6f3jqJI/SjRCGZCX4l54jApox41mk1
VeZ7h4U19ePCnQhzrUmo13jhVmgqN+cOuI4lGgtnKCPQywHvih0YVrmnOK00/9+W
9hIGu0mYqP6u+vdcWN7nEXhQpImeZzh6EhIqjsR7oFt2sTdAzvVofNNOjMNA25Gz
ShbkuaiCOy6BaC0YQxDfajQyqw7HgVwASha4aRJj9obb5ZeVU+1Z4AIGWxF56Jtq
6J8dORTiT/YPolugaOgZ+SbnEBLx5v1rIDCAESHj/XzRnit8WQGjhnydZmYUteU0
wQsBXQK2yWa5OBBe78eCzS5/uMTqeBWeIigw/LLG0k0AZ7AXWzw=
=mMW7
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#901495
; Package redis
.
(Thu, 14 Jun 2018 12:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list.
(Thu, 14 Jun 2018 12:30:03 GMT) (full text, mbox, link).
Message #15 received at 901495@bugs.debian.org (full text, mbox, reply):
Hi,
> redis: multiple security issues in Lua scripting
This has now been assigned CVE-2018-11219 & CVE-2018-11218.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#901495
; Package redis
.
(Thu, 14 Jun 2018 13:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list.
(Thu, 14 Jun 2018 13:15:05 GMT) (full text, mbox, link).
Message #20 received at 901495@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Chris Lamb wrote:
> > redis: multiple security issues in Lua scripting
>
> This has now been assigned CVE-2018-11219 & CVE-2018-11218.
Security team, oermission to upload the attached to
stretch-security?
redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
* CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
corruption and integer overflow vulnerabilities. (Closes: #901495)
-- Chris Lamb <lamby@debian.org> Thu, 14 Jun 2018 15:08:27 +0200
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
[901495.diff.txt (text/plain, attachment)]
Changed Bug title to 'redis: multiple security issues in Lua scripting (CVE-2018-11218 CVE-2018-11219)' from 'redis: multiple security issues in Lua scripting'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 14 Jun 2018 17:42:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#901495
; Package redis
.
(Sat, 16 Jun 2018 07:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list.
(Sat, 16 Jun 2018 07:18:03 GMT) (full text, mbox, link).
Message #27 received at 901495@bugs.debian.org (full text, mbox, reply):
Chris Lamb wrote:
> Security team, oermission to upload the attached to
> stretch-security?
>
> redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
>
> * CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
> corruption and integer overflow vulnerabilities. (Closes: #901495)
>
> -- Chris Lamb <lamby@debian.org> Thu, 14 Jun 2018 15:08:27 +0200
Gentle ping on the above? :-)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#901495
; Package redis
.
(Sat, 16 Jun 2018 08:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Sat, 16 Jun 2018 08:45:03 GMT) (full text, mbox, link).
Message #32 received at 901495@bugs.debian.org (full text, mbox, reply):
On Sat, Jun 16, 2018 at 08:14:08AM +0100, Chris Lamb wrote:
> Chris Lamb wrote:
>
> > Security team, oermission to upload the attached to
> > stretch-security?
> >
> > redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
> >
> > * CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
> > corruption and integer overflow vulnerabilities. (Closes: #901495)
> >
> > -- Chris Lamb <lamby@debian.org> Thu, 14 Jun 2018 15:08:27 +0200
>
> Gentle ping on the above? :-)
I'm flying later the day and will review then.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#901495
; Package redis
.
(Sat, 16 Jun 2018 14:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Sat, 16 Jun 2018 14:03:03 GMT) (full text, mbox, link).
Message #37 received at 901495@bugs.debian.org (full text, mbox, reply):
On Thu, Jun 14, 2018 at 02:10:27PM +0100, Chris Lamb wrote:
> Chris Lamb wrote:
>
> > > redis: multiple security issues in Lua scripting
> >
> > This has now been assigned CVE-2018-11219 & CVE-2018-11218.
>
> Security team, oermission to upload the attached to
> stretch-security?
>
> redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
>
> * CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
> corruption and integer overflow vulnerabilities. (Closes: #901495)
That looks fine. Please upload (with -sa as redis is new in stretch-security).
For future updates please include the git commit IDs to debian/patches and
add some context where changes were omitted compared to upstream, it makes
it much easier to review changes,
E.g. compared to the fix from the upstream 3.2 branch,
0012-Security-update-Lua-struct-package-for-security.patch misses
a few changes, but they seem like unrelated refactoring.
Did you have a chance to test this? I should be able to test this on a few
live Redis servers, but that would take a few days, so it would be helpful
to know which tests you've done so far.
Also, the Lua code copies are missing in the data/embedded-code-copies
file in the Security Tracker. deps/README.md states
**lua** is Lua 5.1 with minor changes for security and additional libraries.
so I'm wondering we can fix Redis for buster to use the system copy
of Lua? Ideally we could upstream the changes made by antirez (or ideally
he's do that himself?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#901495
; Package redis
.
(Sat, 16 Jun 2018 15:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list.
(Sat, 16 Jun 2018 15:12:03 GMT) (full text, mbox, link).
Message #42 received at 901495@bugs.debian.org (full text, mbox, reply):
Hi Moritz,
> For future updates please include the git commit IDs to debian/patches
Sure. I've added commit IDs to the files in debian/patches and
uploaded redis_3.2.6-3+deb9u1_amd64.changes with those — and no
other! — changes.
> E.g. compared to the fix from the upstream 3.2 branch,
> 0012-Security-update-Lua-struct-package-for-security.patch misses
> a few changes, but they seem like unrelated refactoring.
Indeed; I needed to drop the removal of the lua_State argument as that
would have made it FTBFS.
> Did you have a chance to test this? I should be able to test this on a few
> live Redis servers, but that would take a few days, so it would be helpful
> to know which tests you've done so far.
I've tested using the upstream testsuite, the linked PoC, and a few
random/manual tests of my own using "redis-cli"
> Also, the Lua code copies are missing in the data/embedded-code-copies
> file in the Security Tracker.
Added in:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e0c6313b9728dc81f833eae29ac9e5124b4c6eb5
> I'm wondering we can fix Redis for buster to use the system copy
> of Lua?
Good idea. Filed as #901669.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>
:
Bug#901495
; Package redis
.
(Sun, 17 Jun 2018 16:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>
.
(Sun, 17 Jun 2018 16:36:02 GMT) (full text, mbox, link).
Message #47 received at 901495@bugs.debian.org (full text, mbox, reply):
On Sat, Jun 16, 2018 at 04:09:04PM +0100, Chris Lamb wrote:
> Hi Moritz,
>
> > For future updates please include the git commit IDs to debian/patches
>
> Sure. I've added commit IDs to the files in debian/patches and
> uploaded redis_3.2.6-3+deb9u1_amd64.changes with those — and no
> other! — changes.
Released as DSA 4230.
> > I'm wondering we can fix Redis for buster to use the system copy
> > of Lua?
>
> Good idea. Filed as #901669.
Ack, thanks.
Cheers,
Moritz
Reply sent
to Chris Lamb <lamby@debian.org>
:
You have taken responsibility.
(Sun, 24 Jun 2018 16:21:18 GMT) (full text, mbox, link).
Notification sent
to Chris Lamb <lamby@debian.org>
:
Bug acknowledged by developer.
(Sun, 24 Jun 2018 16:21:18 GMT) (full text, mbox, link).
Message #52 received at 901495-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 3:3.2.6-3+deb9u1
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901495@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 14 Jun 2018 15:08:27 +0200
Source: redis
Binary: redis-server redis-tools redis-sentinel
Architecture: source amd64
Version: 3:3.2.6-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
redis-sentinel - Persistent key-value database with network interface (monitoring)
redis-server - Persistent key-value database with network interface
redis-tools - Persistent key-value database with network interface (client)
Closes: 901495
Changes:
redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
.
* CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
corruption and integer overflow vulnerabilities. (Closes: #901495)
Checksums-Sha1:
2c6d029f541e0f6eb15491f9d3c3566b1f37522f 2013 redis_3.2.6-3+deb9u1.dsc
0c7bc5c751bdbc6fabed178db9cdbdd948915d1b 1544806 redis_3.2.6.orig.tar.gz
5ca7378156cac0d842c80fc76c86a1f0c62d39e7 38904 redis_3.2.6-3+deb9u1.debian.tar.xz
96a8f2ee6ab578c5eef69f85eb1e9b732a10fcb1 18476 redis-sentinel_3.2.6-3+deb9u1_amd64.deb
24275d0221edce2baa1529ac28e55972caf0209b 1038238 redis-server-dbgsym_3.2.6-3+deb9u1_amd64.deb
eb69917194d7263b91f27f69e51c450a78f43205 412890 redis-server_3.2.6-3+deb9u1_amd64.deb
f3c7d7700e6c40222bf4d1046b66eb03139aa0cf 1255818 redis-tools-dbgsym_3.2.6-3+deb9u1_amd64.deb
08fa7f1fa66f554370f9f044e780fdeb26043b34 462498 redis-tools_3.2.6-3+deb9u1_amd64.deb
f4209192b39afc65d17775bc9a5241d1e28b6ab9 7195 redis_3.2.6-3+deb9u1_amd64.buildinfo
Checksums-Sha256:
80da262658515878816bc54a91025a19dc908e19e900c20edc05105a5a082762 2013 redis_3.2.6-3+deb9u1.dsc
2e1831c5a315e400d72bda4beaa98c0cfbe3f4eb8b20c269371634390cf729fa 1544806 redis_3.2.6.orig.tar.gz
4dd8b850f189a14f506ab2dbd9ec9825ed1d125390281cd4e51dd3a23047a239 38904 redis_3.2.6-3+deb9u1.debian.tar.xz
bdc22af158b230cd4766f73f227eda22a1cfbc0cdcbce370e6e2bca35a68c264 18476 redis-sentinel_3.2.6-3+deb9u1_amd64.deb
1bd65e89e6af090127f8046b5628d7bf174d5a02b1a0c2b24877353072bc7583 1038238 redis-server-dbgsym_3.2.6-3+deb9u1_amd64.deb
6e698e1511719caa5c868e04d7b84f6bb0478c5d79d5660935feace484f123cb 412890 redis-server_3.2.6-3+deb9u1_amd64.deb
366b7b25147ef54a91f379444b9d55030999f747bd02c66d493ecb1f33d77c62 1255818 redis-tools-dbgsym_3.2.6-3+deb9u1_amd64.deb
e836f6c21a7d0c9285fd6f6eb5c04cd4f9242ce36370a3665009cf6ccd114fe0 462498 redis-tools_3.2.6-3+deb9u1_amd64.deb
1be8c36b74ed80ac3dabb5c940dcba0be77c84e7bffa84adc23deb7e9f51116d 7195 redis_3.2.6-3+deb9u1_amd64.buildinfo
Files:
46211e7014c90c56ef19a874429c73c6 2013 database optional redis_3.2.6-3+deb9u1.dsc
d0e81d1e19f673fd84d01784bf9fb5f0 1544806 database optional redis_3.2.6.orig.tar.gz
ac6e30e29dafd9f1065112fc1280dcf1 38904 database optional redis_3.2.6-3+deb9u1.debian.tar.xz
da7637a773f146ecb621c92223016bfc 18476 database optional redis-sentinel_3.2.6-3+deb9u1_amd64.deb
350d1395fb7603697cbc406b6a655564 1038238 debug extra redis-server-dbgsym_3.2.6-3+deb9u1_amd64.deb
9a904651fa902b8c03b3377db76d02d6 412890 database optional redis-server_3.2.6-3+deb9u1_amd64.deb
57733c799dacbc72b57d971745ff97ad 1255818 debug extra redis-tools-dbgsym_3.2.6-3+deb9u1_amd64.deb
f5b835645f9f213c6ab026a428870c7c 462498 database optional redis-tools_3.2.6-3+deb9u1_amd64.deb
367712223162b170b21999718c75f2c5 7195 database optional redis_3.2.6-3+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlslJ7cACgkQHpU+J9Qx
HlhDGQ/9FgaVOid3YEi60DqUTprZlsiNoAOfs0TdvqZ24p3zokZ7oOWUO3Aty3Fn
6GEGsDiao8ZSttgeRXF3k13S8loBRY6ORhKdeIzOv9TQ2tY6zJAIui2XtDx0krF8
Nb4IITgSSTQCLCI6Gu5wZBHly/0Wno8Y6fBozLaZAREkug8BM8i4PwceG5ETN9uM
JVdJmhIRAtmctBaQV5y47ajYdbCrYqJ+P/MR3BYx7I5VyahiCcB82sDHcYXsH7Ji
iMsEo4/oa9T7XxC32p/hdGnNvUTQXeEJ/MhNqy03YfJ9xEFUE79ixp3x7ka4c0Gp
Vulp/QNBbtWkNHodGKtDafoijqST8on6TELtQiUyWIJI9o+JmDkv/MPDjzdkY8hY
nQGIXK71ZmAQku/fWglVSyswEF9Ms9Auc67J/mc0nfzRJYEklLeF0fRpLdjlZwD9
T/BdGIH0B5SnZCYFpflDVHGVaF5diU+8ojPeU+sDpi2QBp5ej9tJ4HGQpedxbKgn
g22u9tpRjzuWfA54BqedPig0FJ4WZBjXxVrU7d0b+XvL7oSGaXqtx5kfWy5yy98P
WwPX0uT13iZZ8smKVB0lqu97AMu4SDQEv/iOdpDeNfYrN1m2aNbP8RmdX4SjPuQQ
0ONy20bnjQc5qojfzhBuw3GowCfoRiL+Y0EnqCEoMkAHQAEd2L0=
=pdQL
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>
:
You have taken responsibility.
(Sun, 24 Jun 2018 16:21:20 GMT) (full text, mbox, link).
Notification sent
to Chris Lamb <lamby@debian.org>
:
Bug acknowledged by developer.
(Sun, 24 Jun 2018 16:21:21 GMT) (full text, mbox, link).
Message #57 received at 901495-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 3:3.2.6-3+deb9u2
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901495@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 18 Jun 2018 19:12:58 +0200
Source: redis
Binary: redis-server redis-tools redis-sentinel
Built-For-Profiles: nocheck
Architecture: source amd64
Version: 3:3.2.6-3+deb9u2
Distribution: stretch
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
redis-sentinel - Persistent key-value database with network interface (monitoring)
redis-server - Persistent key-value database with network interface
redis-tools - Persistent key-value database with network interface (client)
Closes: 850534 880474 901495
Changes:
redis (3:3.2.6-3+deb9u2) stretch; urgency=medium
.
* Correct RunTimeDirectory -> RuntimeDirectory typo in systemd .service
files. (Closes: #850534, #880474)
.
redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
.
* CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
corruption and integer overflow vulnerabilities. (Closes: #901495)
Checksums-Sha1:
f2ff97c5aca201e7121e045467346703e22578ad 2013 redis_3.2.6-3+deb9u2.dsc
0c7bc5c751bdbc6fabed178db9cdbdd948915d1b 1544806 redis_3.2.6.orig.tar.gz
05dc32ad1687b5cbf63f6991c87dac0617c5bcea 38952 redis_3.2.6-3+deb9u2.debian.tar.xz
a7f99638c2153d735413c1881ddb22e38ef95a20 18520 redis-sentinel_3.2.6-3+deb9u2_amd64.deb
924866e7270d9124ac0cd4915cd9394e933c657e 1038240 redis-server-dbgsym_3.2.6-3+deb9u2_amd64.deb
2be0ad58c1f791fd4478e1db04a96e3e5d4ca878 412640 redis-server_3.2.6-3+deb9u2_amd64.deb
016c4fe02b025c8cc42751e7f9f7c2865d05f3a0 1255814 redis-tools-dbgsym_3.2.6-3+deb9u2_amd64.deb
db5c19e572a644779772f4e749c947024aa2b152 462686 redis-tools_3.2.6-3+deb9u2_amd64.deb
af8e619f6a4b507f27efef23ac4f2835edfeed25 7210 redis_3.2.6-3+deb9u2_amd64.buildinfo
Checksums-Sha256:
4edd6de71bdb0c409723ef6d4d808dc84f5615ce897e4cc958527280d1f8174b 2013 redis_3.2.6-3+deb9u2.dsc
2e1831c5a315e400d72bda4beaa98c0cfbe3f4eb8b20c269371634390cf729fa 1544806 redis_3.2.6.orig.tar.gz
f1f9a05c90e72a7c0f8e343ebec93ce43cc0fafae54379d78941f1b2e13487f5 38952 redis_3.2.6-3+deb9u2.debian.tar.xz
d7f29e2f0b6c11ea9ff663070a5f4c1e62d89a2be67885913bc9351d1da738bc 18520 redis-sentinel_3.2.6-3+deb9u2_amd64.deb
5adbdfd9e1514f2f428121bf5e9de11bf3090a1e6efa2213e5c1390ff1b42b47 1038240 redis-server-dbgsym_3.2.6-3+deb9u2_amd64.deb
097ecb62420b47deb78629cf00b15ebba6216078006f3a88a21bf55a5d1e9154 412640 redis-server_3.2.6-3+deb9u2_amd64.deb
467a4f69f9258aba1b487955a3c507ad788a23140be1d2a4856911026a608244 1255814 redis-tools-dbgsym_3.2.6-3+deb9u2_amd64.deb
061da861c506626b54ab648f6120e96818ff423faa08c469ee8e44aaca87d2e5 462686 redis-tools_3.2.6-3+deb9u2_amd64.deb
b9b073e8ead040ebdb7bb7d2529c0800ecbb2fdfd5d7d2bbacbf770ac6c3cc0c 7210 redis_3.2.6-3+deb9u2_amd64.buildinfo
Files:
2fa9e1c426d6be642f9dba8a09cdd2a3 2013 database optional redis_3.2.6-3+deb9u2.dsc
d0e81d1e19f673fd84d01784bf9fb5f0 1544806 database optional redis_3.2.6.orig.tar.gz
026fbbd264a21b6734dc88b3a43daf4d 38952 database optional redis_3.2.6-3+deb9u2.debian.tar.xz
4d9ff924f466a21f1e8c56fe4dd83fc9 18520 database optional redis-sentinel_3.2.6-3+deb9u2_amd64.deb
c3950ce82c25c032ffef0b1a83840df0 1038240 debug extra redis-server-dbgsym_3.2.6-3+deb9u2_amd64.deb
354a98f70238bc81d9a32651379acf93 412640 database optional redis-server_3.2.6-3+deb9u2_amd64.deb
d1797a2541cf12277fa62129a3b55e17 1255814 debug extra redis-tools-dbgsym_3.2.6-3+deb9u2_amd64.deb
f261e29b2e318f68bedd0331ecdb349f 462686 database optional redis-tools_3.2.6-3+deb9u2_amd64.deb
6896f714444576ba71906b8528b2fa87 7210 database optional redis_3.2.6-3+deb9u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlsn6p8ACgkQHpU+J9Qx
HljYCg/+NFlpDA5q52Ha0QVA2BpbBH+dkS34Ez3U+pA1DpHFth+gzGUQmh8GH+d7
xxA1nnUphZMEJs9P71sSMTeGfGNHrdz6t3cEEmCAqTXw43zCB6FPET8VsU64cG2r
DOLISKw2ozfkqu11hUQUX02mVrCCqJyyFfJs79vVE7HBeviCSoTTlPSCALtToRjg
ESHjfJ3wbZEDlofw+/yxAN0mF9MfkLALHbTGH0vaeIBu/DH/G2MxJtRWB6yTWyNH
do0WBVvWQDf+XzGdNkmDGu4CRzO7AyQpq62TZHQjsR8MfQRwcJTpVNht8XvacDTU
OipbhV24B9d5RTASXqTQDyBfd8dSCsEKKhrDg6x17cK0+Gknm0kmr51PYLO2WU4b
RG9xj4iEetKOCkgNSlOz5413Ot+thdSgMIs0zLcXgxHaom+DRqwo42mHIXvze7FQ
udzlFOXJ/f/jhrDgupeiAfbdaii1VZNE8wMZl8fWKF3P7LCDfq2s92oaWwyLrShr
iMSYF3araLSBf9BhVQm0L/+BQNQIO6z1WnZVHSY91Sri50nYhr/47rbrobWL4v2b
kFrDm3+no/3wCIRoJR2RyyIOBwdlkxT8mDzuH4lPv7usX+y9X6IoYtP3+vj/YO49
r8mUrtV5noBzn3mFdT9YNE3ZdPiUx2GtTM5cxyIMR70XbtRn59E=
=FLcX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 20 Jan 2019 07:29:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:36:51 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.