Debian Bug report logs -
#878076
redis: CVE-2017-15047: Insufficient input validation in the clusterLoadConfig function
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Chris Lamb <lamby@debian.org>:
Bug#878076; Package src:redis.
(Mon, 09 Oct 2017 15:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Chris Lamb <lamby@debian.org>.
(Mon, 09 Oct 2017 15:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: redis
Version: 3:3.2.6-1
Severity: normal
Tags: upstream security
Forwarded: https://github.com/antirez/redis/issues/4278
Hi,
the following vulnerability was published for redis.
CVE-2017-15047[0]:
| The clusterLoadConfig function in cluster.c in Redis 4.0.2 allows
| attackers to cause a denial of service (out-of-bounds array index and
| application crash) or possibly have unspecified other impact by
| leveraging "limited access to the machine."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15047
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15047
[1] https://github.com/antirez/redis/issues/4278
Regards,
Salvatore
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Mon, 30 Oct 2017 11:09:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 30 Oct 2017 11:09:05 GMT) (full text, mbox, link).
Message #10 received at 878076-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 4:4.0.2-4
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 878076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 30 Oct 2017 10:32:04 +0000
Source: redis
Binary: redis-server redis-tools redis-sentinel
Built-For-Profiles: nocheck
Architecture: source amd64
Version: 4:4.0.2-4
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
redis-sentinel - Persistent key-value database with network interface (monitoring)
redis-server - Persistent key-value database with network interface
redis-tools - Persistent key-value database with network interface (client)
Closes: 878076
Changes:
redis (4:4.0.2-4) unstable; urgency=medium
.
* CVE-2017-15047: Add input validity checking to redis cluster config slot
numbers. (Closes: #878076)
* Drop debian/bin/generate-parts script now we aren't calling it.
* Correct Bash-esque in NEWS.
* Upstream are not providing signed tarballs, so ignore the
"debian-watch-may-check-gpg-signature" Lintian tag,
* Drop trailing whitespace in debian/changelog.
* Use HTTPS URI in debian/watch.
Checksums-Sha1:
7b9fef71d22dae3f5f1e56e00794f10e34390c3a 2014 redis_4.0.2-4.dsc
3c501d6bf39abcb55460aaec1ed8ab7bfb3878b5 21964 redis_4.0.2-4.debian.tar.xz
f923352a68fb32f147f1d8aacba35e43dca9364d 57512 redis-sentinel_4.0.2-4_amd64.deb
9893e74356996404ab502f599867ea559cb9dd6e 83648 redis-server_4.0.2-4_amd64.deb
5f898184f01c3007b6a7700d0a4dadba7f5f8527 1419352 redis-tools-dbgsym_4.0.2-4_amd64.deb
d06efc97a2a5df49a9e525a69c7c06b7183fbacf 555176 redis-tools_4.0.2-4_amd64.deb
37e9aa65587f57ae5294d12272aaca555524a402 6108 redis_4.0.2-4_amd64.buildinfo
Checksums-Sha256:
9ec1e245d10c8f62ba5fc2760722dd831493b28a505db0722d6a0cd59d67004d 2014 redis_4.0.2-4.dsc
438feefd0430eb3c8dd0a3ff2fdcabd60ef7a0e86823330cf610c431ae73a821 21964 redis_4.0.2-4.debian.tar.xz
483a1277a9f5526a41786b23251f91694682c84571c9cf96422070ff5554afce 57512 redis-sentinel_4.0.2-4_amd64.deb
bfe915d81c18c8ff69a40a01deef2be60729ea5e6986a18eba5a727870abd51b 83648 redis-server_4.0.2-4_amd64.deb
a7bfa06428a4da4788f7f7fb5077ff76417eae784e29a9b6491ad400da0424c0 1419352 redis-tools-dbgsym_4.0.2-4_amd64.deb
8f71077e0507d2bf837768b24cd6026b43fdcd399f7cb1e153417e2abf2bec98 555176 redis-tools_4.0.2-4_amd64.deb
6c31b6132e65360a7f49ce4cdd1c360c0c474c20b5ec73d5481aa00ebe2fcf3b 6108 redis_4.0.2-4_amd64.buildinfo
Files:
c29efb10b5d98644914ec272822a791d 2014 database optional redis_4.0.2-4.dsc
334cfa05f09eb406cf875b0a8ffa10d6 21964 database optional redis_4.0.2-4.debian.tar.xz
fd6c339835fcfa242ae28d95cfe29c0e 57512 database optional redis-sentinel_4.0.2-4_amd64.deb
1908e5f6856329a1689df77e43b452b2 83648 database optional redis-server_4.0.2-4_amd64.deb
d4609d1319840be7eecd8d1127304edb 1419352 debug optional redis-tools-dbgsym_4.0.2-4_amd64.deb
b971a08e18907e0e63354ae860c0273a 555176 database optional redis-tools_4.0.2-4_amd64.deb
5edcb2408dc9a81543dde70751475dc8 6108 database optional redis_4.0.2-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAln3AB4ACgkQHpU+J9Qx
Hlg0KA//UnGMKUZcGkobgfWxy1pJKfjBraS4dmKEfUFeSDabm12b30HT+2YZt1vQ
Xs6FfCqwBbV20rHAbbmFKXS9XcEUFAdUACxYqMCOtu3KeUEbnPyXDX3lcEcvI1Jk
EPWxnHS8j2Th7iEXqWXVX+YbJ85I3XBdCvcC5MGG2896WkElaQyPZrJt6J53JWJr
I0s0TCiYMmhgX2DMHYojH2cCfxzF7SdXAtu9XX+DHlSdQYnUUvRe3b/ejQtpWLfa
5rPGIIZCKtOMzjy6irSIp7ibhll8TN/a6LQ6ZEGRJTiFB2IP4tnO6my3RpNOY2w+
ssQkujr5xsTMf9NZ6cQh/iidD5hJ+GQFyVY+V348XQt1tLvK9Y+qfmxHDS946HC/
Lohp+EqdESL2BnFLYw6R8fu5/l0gYNbslfjgglctbSO+p3OVYHMfvxc6lr3Gjg08
djhpsBT3EacbuP8Q2RZDXf5rhvjveefjOtJLfB78rjRf5y3/5+VPpGKZkDTjfVDs
dywgT0jQXQfdWDjY73ac39nYzbfxNXTZ17LKc3bPf54h/L7lW8+3u+E1bWhe9Ovo
Lyy/ZWC7FgoCcMH5OWiDYhFmDOVljIPh45parQ8rGVIf93L9sJx6XK/iS7vc5yp7
ChPxYDKYoBsufttPUsUeC1JpMoigI0xXGXH3nl8jz2hzQ40bSYI=
=n4RK
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 31 Oct 2017 10:39:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 31 Oct 2017 10:39:20 GMT) (full text, mbox, link).
Message #15 received at 878076-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 4:4.0.2-5
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 878076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 31 Oct 2017 11:13:40 +0100
Source: redis
Binary: redis-server redis-tools redis-sentinel
Built-For-Profiles: nocheck
Architecture: source amd64
Version: 4:4.0.2-5
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
redis-sentinel - Persistent key-value database with network interface (monitoring)
redis-server - Persistent key-value database with network interface
redis-tools - Persistent key-value database with network interface (client)
Closes: 878076
Changes:
redis (4:4.0.2-5) unstable; urgency=medium
.
* CVE-2017-15047: Replace existing patch with upstream-blessed version that
covers another case. (Closes: #878076)
Checksums-Sha1:
40657338d54470a56a487d7658170c4a6034f021 2014 redis_4.0.2-5.dsc
c63f8885e26b2f28ff8a31478b6a820f3e596798 22372 redis_4.0.2-5.debian.tar.xz
7ef41862c287981798e7ee69e3101060042833a7 57568 redis-sentinel_4.0.2-5_amd64.deb
5c1584a8a3bc34b94ec552374cdc9d656a58cc11 83688 redis-server_4.0.2-5_amd64.deb
3b9cd491a2c42c8da06c69d707a96aec56eeead1 1419252 redis-tools-dbgsym_4.0.2-5_amd64.deb
5910aa654694f4d87553b79bd9a08791a6767ddf 555140 redis-tools_4.0.2-5_amd64.deb
b9920855f66cbafca09fd51e8b67c43658123ee5 6109 redis_4.0.2-5_amd64.buildinfo
Checksums-Sha256:
6d6f9ed055796527dc9594935197f834af83ef030dea22ed0a2e99a6504096d1 2014 redis_4.0.2-5.dsc
7967895bb077b98ff10fcef9572997f457852fbc79d50b129dca6d154133d205 22372 redis_4.0.2-5.debian.tar.xz
dd66f6497b41853f82583838497ed9f4e95de929b4ca9a3f4edd298d8bd9f14b 57568 redis-sentinel_4.0.2-5_amd64.deb
c5b32420a0de69a6cc33d8cb09c90ae1991aab3eba31029f7d72f135d2a2f4cf 83688 redis-server_4.0.2-5_amd64.deb
d3bf625d16d24b81e52b74055beb827936cf07ea97abd8f48e26df01d5822f57 1419252 redis-tools-dbgsym_4.0.2-5_amd64.deb
8041277701d574af9e540c0e8998d34279643f03e1eb293c6756c343ef439370 555140 redis-tools_4.0.2-5_amd64.deb
fcb8e3e7cb927e90ca3537253faa7473760b002bfb7c0976ea792d80018cd461 6109 redis_4.0.2-5_amd64.buildinfo
Files:
6534db49ef1cf1f9e55645d06d1bda18 2014 database optional redis_4.0.2-5.dsc
75d80f349a48af82bb5b62a118414e5c 22372 database optional redis_4.0.2-5.debian.tar.xz
510df0643edaefa7b808deab37dae961 57568 database optional redis-sentinel_4.0.2-5_amd64.deb
fc06505b9c11f6c46086138b5b15347a 83688 database optional redis-server_4.0.2-5_amd64.deb
5e7f444897b2e65aed2ae359eca6647e 1419252 debug optional redis-tools-dbgsym_4.0.2-5_amd64.deb
edd9b0ec09549ce6915ff6d7a945d55d 555140 database optional redis-tools_4.0.2-5_amd64.deb
240ffa166e90c19a8074d0e0f7b7ea4a 6109 database optional redis_4.0.2-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAln4TUMACgkQHpU+J9Qx
HliVrQ/8CngEfKz2vXCkp2r2QIkMCP2ZQ8mVV64/0atTDNZ8VWngz11o1u1G+Lyl
U4vi9oxPe8cLP8arY4c1SweSZLzXiv3vlfa4kRdjS08zm2/K4dq/igiDsbtPp7J/
0/QkmLKLTHXb1xYSmz2s6wSx93w8JJwY27J2XtRtx29/qRGinOFZIJI07ecDvyBL
dlQE5MMMRzpJsW2pVszn2rEuwDeBHJBBGWT6/m/jdeCsKsUZpxHikC0J4/jecaZx
YsbSoSpSrZw3ZeYMUCQ750+xODwoFl8xy/1Tc8s7AZfF4lkhPchgv5YhdItpVxlD
eNgzPqs+S8lt+imxIcyo5fQRLHUtK7Ib8iewi3wvoIENZ4jsYcgApbJuUmflnr1j
x+0a8mH7JS7xaWSf9PTliXDnOi/lvAQyVeCk5XQFK2ICfXLHDgYv1kSGLOHAQ7Ez
TfSRERp5ApOLusdPkhNtOQ1cuSsVDhsS+5ytNhf2et/vgYudtFbg6/6I6Qa98uq5
DH8Vp8VW3Uls2BRi7lDs1RziRESDHC3yu6GRGbnrIocZmxTwUTfNOwmY8riqy6Va
gUtWORcsi01Y8keDlE8DkGemPbj/+YrXY/+NdkuFEw0LC0kjPoZX+DnglM45AdeC
24Oem4m7iQrCHc16hb6A0dSLFEj9B8EbxMW/769FEZCaHbJeYuU=
=Pvl4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 29 Nov 2017 07:30:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:41:58 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon