redis: CVE-2023-28856

Debian Bug report logs - #1034613
redis: CVE-2023-28856

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: redis: CVE-2023-28856

Date: Wed, 19 Apr 2023 21:23:49 +0200

Source: redis
Version: 5:7.0.10-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for redis.

CVE-2023-28856[0]:
| Redis is an open source, in-memory database that persists on disk.
| Authenticated users can use the `HINCRBYFLOAT` command to create an
| invalid hash field that will crash Redis on access in affected
| versions. This issue has been addressed in in versions 7.0.11, 6.2.12,
| and 6.0.19. Users are advised to upgrade. There are no known
| workarounds for this issue.

Chris, this likely we be no-dsa I think; but still, for bookworm it
would be ideal to get the fix (via 7.0.11?) in.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28856
    https://www.cve.org/CVERecord?id=CVE-2023-28856
[1] https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 1034613-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1034613-close@bugs.debian.org

Subject: Bug#1034613: fixed in redis 5:7.0.11-1

Date: Thu, 20 Apr 2023 07:04:17 +0000

Source: redis
Source-Version: 5:7.0.11-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034613@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 20 Apr 2023 07:38:23 +0100
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.11-1
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1034613
Changes:
 redis (5:7.0.11-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2023-28856: Authenticated users could have used the HINCRBYFLOAT
       command to create an invalid hash field that would have crashed the Redis
       server on access. (Closes: #1034613)
 .
     For more information, please see:
 .
       https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES
 .
   * Refresh patches.
Checksums-Sha1:
 d94c2d8dc15b77f081c9086c8c811bb72c6ef654 2273 redis_7.0.11-1.dsc
 237f95d762972fecb3318b114d068b5a9158fe01 3019850 redis_7.0.11.orig.tar.gz
 a700fc563038d3604368986446dd69ff88b33967 28392 redis_7.0.11-1.debian.tar.xz
 90a250d1d4fba6ea3633f500444084ec6549a344 7486 redis_7.0.11-1_amd64.buildinfo
Checksums-Sha256:
 a30ee551a0069b2632cfdac1713bf279c2c52b30e325a0adcd7782e28c0da085 2273 redis_7.0.11-1.dsc
 7f1941bfa7fa01e2fd167771ff22b8e46b1a6bb0707f01b3e6308d9770e44bf3 3019850 redis_7.0.11.orig.tar.gz
 eea78688fba6029dd59681e62b9c9175073bbc27fff7dfb36199d68d13d9feb1 28392 redis_7.0.11-1.debian.tar.xz
 762a1a36ff9a7a3bb4453dffe81d9d4d345e8494d4574b75f38f1c9831db0e36 7486 redis_7.0.11-1_amd64.buildinfo
Files:
 3644e9b7db8bed997ed813af90836630 2273 database optional redis_7.0.11-1.dsc
 4ca967a75be522846691100c453a90e2 3019850 database optional redis_7.0.11.orig.tar.gz
 e6cb0783c9c71db4c4216703ac0b49cb 28392 database optional redis_7.0.11-1.debian.tar.xz
 683e257b1ca8ae8443a6519e276291e9 7486 database optional redis_7.0.11-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmRA4RgACgkQHpU+J9Qx
HljDYg/+McLMNgsgBNPjlXRjQxA2Kw78lWIM6CFOCktg4gJ04PXZzMRhcPgVcJze
gHU7TicKXUsR+bBAX6/civbnbio+XR7gy+syI2bj96rN4JaPWaygIE/rSC6qPCba
OuH7u8IP/F5PlrE8vPqWk0uuyN2yq4S7tiOQny5jYrOLy4OBgEDmZ0+ebljguuyl
pvSey+BMiXWPid7v17u7tsKx0hEs2IcrBseKAUzRy2MYaPw9lQVKMfq7Smc1vAOe
6kIT2RNmewJamgL2AmnkUS0FRvq7x//cXitFgyAYG2YtvSorDWqGlgbIp9DFFifB
yZckbvvVtpDSsZ0Xg85WvXKPxrEB60hKouorvTu5hKezjmJgbDZfVqX0Jc2OA0Fw
9BNnPBS8yEY1YImXc7hNqCkGrhOZA6V3rXzFcQcHV0JWwL4WtxoCL/eRc61HAxn/
NdlKYF5EbFU5b/gwxh9D17sxjHmjiBPj6z8GzEpRw43OE7peSjexa3tvyyy63MZJ
+dOvutcjuKr8TI7cPsY/cRDze9P5J72OVOr9Vfssq9zqbdo9/M04b1mOPd+crT/M
QCTWv9au7JQh0Bi8o0NZpEFPomGxSDkc1WB41Yjp64Wtjw42fZz3tlFSMmNMnyXJ
gox0YFF3y1JGzKsvucMj7GtiOO9S5F14ZZlBUWeYwLa37dPU2B0=
=wc1Z
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.