Debian Bug report logs -
#1060316
redis: CVE-2023-41056
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Tue, 9 Jan 2024 13:45:04 UTC
Severity: grave
Tags: security, upstream
Found in versions redis/5:7.0.14-2, redis/5:6.0.16-1+deb11u2
Fixed in versions redis/5:7.0.15-1, redis/5:7.2.4-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Chris Lamb <lamby@debian.org>:
Bug#1060316; Package redis.
(Tue, 09 Jan 2024 13:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Chris Lamb <lamby@debian.org>.
(Tue, 09 Jan 2024 13:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: redis
Version: 5:6.0.16-1+deb11u2
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for redis.
CVE-2023-41056[0]:
Buffer overflow in certain payloads may lead to remote code execution
Info just unembargoed, so links may time some time to update.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-41056
https://www.cve.org/CVERecord?id=CVE-2023-41056
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Marked as found in versions redis/5:7.0.14-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 09 Jan 2024 13:57:02 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 09 Jan 2024 13:57:02 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 09 Jan 2024 14:57:08 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 09 Jan 2024 14:57:08 GMT) (full text, mbox, link).
Message #14 received at 1060316-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 5:7.0.15-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1060316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 09 Jan 2024 13:42:30 +0000
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.15-1
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1060316
Changes:
redis (5:7.0.15-1) unstable; urgency=medium
.
* New upstream security release:
.
- CVE-2023-41056: In some cases, Redis may incorrectly handle resizing of
memory buffers which can result in incorrect accounting of buffer sizes
and lead to heap overflow and potential remote code execution.
(Closes: #1060316)
.
- For more information, please see:
<https://raw.githubusercontent.com/redis/redis/7.2/00-RELEASENOTES>
.
* Refresh patches.
Checksums-Sha1:
9ca4996d9e131375c384e298303e7b02ad67b3b4 2273 redis_7.0.15-1.dsc
b5d51660215a5402d146b8ec045ae712a14783de 3025940 redis_7.0.15.orig.tar.gz
d8dda64d6bb28711e578691f61fecc8eacb81cd2 29128 redis_7.0.15-1.debian.tar.xz
1e9d428c9d811161fde2a5ef14c8cb31dcbbd44e 7650 redis_7.0.15-1_amd64.buildinfo
Checksums-Sha256:
ffe9a357ddcf417d8ba9e1aa9e7c91060bfd00dc59cce70e295c2015a153d721 2273 redis_7.0.15-1.dsc
4b1dc4ee6d622a09fff9c6777191209750fb5e5a725ef78ea012d6eef4c22982 3025940 redis_7.0.15.orig.tar.gz
591c1f43504b7d454b3eb935728f10c46b9439dcda1b22ea4338e147910a0ead 29128 redis_7.0.15-1.debian.tar.xz
ee2272f209fb4b06225dfaa04b328492f567f8aa4f21bc8407d63f18eb819f0d 7650 redis_7.0.15-1_amd64.buildinfo
Files:
2ca7b5366940e4bd269f48b1fe3fcb2d 2273 database optional redis_7.0.15-1.dsc
d4572b9ddf01b3aeeb43859119ad62f9 3025940 database optional redis_7.0.15.orig.tar.gz
959b796926f5ba729ee634ccadbe8e7d 29128 database optional redis_7.0.15-1.debian.tar.xz
5b2dac83a1865854a77504fc407144de 7650 database optional redis_7.0.15-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmWdT8IACgkQHpU+J9Qx
HliUAQ/+M4Bm7uMRHTE7eUCxBaRo1g0DuyFzBma8kuHepMGCZVW3AILH+uSXcplm
ie0MBxXbPEOqtQtI55h93MeHnnev06iCfs85u1jD8Qokkk5fj90hxqSAPgBmQYzR
cdQjOby+x+xrtED7xWBqpANbYwjdGk/npm6LG/Iwzgw5bEN++yoDiihGXjg72iDQ
XAafojj7q/cmjKV5Kyv2swfWaNMeeYjMGEOdk1Rb07B3pFcwn2BmcwuHB9G/XkOq
HEPBlTsOwlFdhh0WyIydwEHOzK2lHkPiEMfk9D2mO7+o37mGSxx9D5rRbuzoteHJ
R5DH5NSyVtF/oPTmOsizo8I7+iot/dAPgCY37FJn0HYzqLcOccNLOtRISLWOh565
9ORiJg9j0Lcg/o9S0DzfMFGX7vVPW8Nx+fUQ7E6fF0qEm9apKp6+09NKZCTxTwYm
NoLGSdua0+vmZsRHka8KuwVBQBTlv0zlgn+/rY51ri4SmB4XG/xRG9C0cAiGCF9K
LQo56QTX7MqGujxeVZXTbc90ePd3FShV0wkJQnccGWXD+GPZRAdOlU9tKW9QNXEi
tx2BGNLCSo9tvKhSTazNgoAKb7EttiOAeT4A1NEI3b0fItdR5mpNKY/TdCkG1iQ8
YE+/n+MdfVeK/RbCs3lB6Wq6HQVYH9xllGnGWtZ920D8xEO2zEw=
=2SVX
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 09 Jan 2024 15:09:09 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 09 Jan 2024 15:09:09 GMT) (full text, mbox, link).
Message #19 received at 1060316-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 5:7.2.4-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1060316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 09 Jan 2024 14:29:59 +0000
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.2.4-1
Distribution: experimental
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1060316
Changes:
redis (5:7.2.4-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2023-41056: In some cases, Redis may incorrectly handle resizing of
memory buffers which can result in incorrect accounting of buffer sizes
and lead to heap overflow and potential remote code execution. (Closes:
#1060316)
.
- For more information, please see:
<https://raw.githubusercontent.com/redis/redis/7.2/00-RELEASENOTES>
.
* Refresh patches.
Checksums-Sha1:
0605f2f0e2265cdf050cba239b0e6ff8d1306a82 2231 redis_7.2.4-1.dsc
b7f1c8355841887063b54d132e74a03d011b1f6f 3424072 redis_7.2.4.orig.tar.gz
c35a094c0c4d24e9131b01eb0595c2585248e454 29048 redis_7.2.4-1.debian.tar.xz
40566da9c048e43b93d17216d45744537de033e5 7634 redis_7.2.4-1_amd64.buildinfo
Checksums-Sha256:
060c197244c0a85abc1329e8fdf34c685c3297778a9159e8fcdad4c86bd35d3c 2231 redis_7.2.4-1.dsc
0a62b9ae89b4be4e8d40c0035c83a72cb6776f4b62fe53553981a57f0f4ff73d 3424072 redis_7.2.4.orig.tar.gz
7e9bb66e77c3c6316d6fdfe9a8b56c0b7eb6e0bfb75a64679910c67a6b3dc5b8 29048 redis_7.2.4-1.debian.tar.xz
df399116e693510ca48566753e3fb1dc2507b272e00000943ae5d66c8efa0186 7634 redis_7.2.4-1_amd64.buildinfo
Files:
22264f587411cbac2fe0965b81014882 2231 database optional redis_7.2.4-1.dsc
ee630d0e8b2a9092bd5c88af85630836 3424072 database optional redis_7.2.4.orig.tar.gz
77b3666aed677670ae33cdc0426230e0 29048 database optional redis_7.2.4-1.debian.tar.xz
2c9a71fea85d942ea2eb38a4bb692876 7634 database optional redis_7.2.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmWdWXsACgkQHpU+J9Qx
Hljj5Q/8CUqCHJ4+4FYjEtvF8syqNO4DzdD+jpuTuKX1Zhkn8St5WewOGXLPgwZS
LkcUjLNRHDQz3lY3J+L1cTiapyNEKM2rLGApTRNWFiBSU6cRla4MoUX4g7jYkGoh
ohkogFZBlRIC9Kx3sJITojcBZznLK113EUx4OCJ+YsR0PPyMbm6mg7/AbMQLvMnZ
0fJhfHOEpL3ruUKyx89chF6ml7YBV9KfZOltyQRVq7qRs+lmmsZoecs8VZFdj6Zi
v8+2VWI9g0iU0F9cUC6ivrs+aJL6Drw28mqYnTtkSGqOc9JjMg4qDiesJQPKuOHC
P9+bM88WBJJit+TNPkIAL+GQTYUxwqxIR1Y6aEeiXX7g/pKHf/ePztjbVzdbZNYW
PvAWWQuQBwIGfoHZtIVr2vXc77b0pFv0Dsr3vj1/O6hLX5UZiy6UvWbZ15LGW0+Y
a7x7ezp9a93NoMu+VYmNDDtcmNb0xTea1g9c8D9EfGgcEPocMLdA7Y4p713jidA7
pm7NYljXS+0ZiVdtBPnNceh4wBxiVU8GSgFprXIj9k2Q+5BEDVQWVarLaBRuVMIz
E18sFvhsuheTvIIyO2c4LckSnRP1OKTVbayQh4/MixmWoGjWZszvUkKsBj6DCH6a
HFjU/OdT+QR2o4bDekmh5bUKprQO67Mr9E0KTfOTXfhuk4T9W2c=
=ZX5s
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jan 10 08:20:23 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon