Debian Bug report logs -
#983446
redis: CVE-2021-21309
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Wed, 24 Feb 2021 10:51:02 UTC
Severity: grave
Tags: security
Found in versions 3:3.2.6-3+deb9u3, redis/5:6.0.10-4
Fixed in versions redis/5:6.2.0-1, redis/5:6.0.11-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Chris Lamb <lamby@debian.org>:
Bug#983446; Package redis.
(Wed, 24 Feb 2021 10:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Chris Lamb <lamby@debian.org>.
(Wed, 24 Feb 2021 10:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: redis
Version: 3:3.2.6-3+deb9u3
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for redis.
CVE-2021-21309:
https://groups.google.com/g/redis-db/c/fV7cI3GSgoQ/m/ocwV-MlzAgAJ
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21309
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21309
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Wed, 24 Feb 2021 11:09:07 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Wed, 24 Feb 2021 11:09:07 GMT) (full text, mbox, link).
Message #10 received at 983446-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 5:6.2.0-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 983446@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 24 Feb 2021 10:52:50 +0000
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:6.2.0-1
Distribution: experimental
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 983446
Changes:
redis (5:6.2.0-1) experimental; urgency=medium
.
* New upstream release, incorporating some security fixes. (Closes: 983446)
* Refresh patches.
Checksums-Sha1:
c81e48de0fed402655d4984dd294db145a69dfb3 2266 redis_6.2.0-1.dsc
065df86c87684faa8339d934d590f5610de2a1cb 2457301 redis_6.2.0.orig.tar.gz
578073fa86db9a39be9981442ba403b7e802662c 27212 redis_6.2.0-1.debian.tar.xz
17850de9a4e14f5ced55d81e4d109fa1d33a8140 7294 redis_6.2.0-1_amd64.buildinfo
Checksums-Sha256:
7bcaa5b3c60054f1a1b811a6ec3d6f90811102349051e11580dd688a4cb1eb68 2266 redis_6.2.0-1.dsc
71163ef85471e40d787b4c68c6aa87abd12f2b4d05653cd7c0d8783be4a6814b 2457301 redis_6.2.0.orig.tar.gz
ea122719dac7ae388e5b4b8bb26327b29822413ee8f48985a3a8a41f6742695d 27212 redis_6.2.0-1.debian.tar.xz
2b56a4ddc947d28346f64cbe3e9f962331e8bf8c40b6ac21637a2b184831e10e 7294 redis_6.2.0-1_amd64.buildinfo
Files:
cbf7d64cf80988a58c13a2f2615a02e7 2266 database optional redis_6.2.0-1.dsc
946c2676e574c25fb3f03d34e92fbf48 2457301 database optional redis_6.2.0.orig.tar.gz
124683a127c8ffdc17fc2aeb0382c828 27212 database optional redis_6.2.0-1.debian.tar.xz
09221097001a105aab1375e2e90d9cb7 7294 database optional redis_6.2.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmA2MFoACgkQHpU+J9Qx
Hlhh+BAAjlnfl/cCmqnKoE51JXTs4YpBuKqO9LBOuojARrQ+0HhDtllft+EcMvW4
o52FnzTG0+zqpRho+RfFswLNph4lE32nZcIwHB3xyP0k2IOaYtKjMv2jvVHR1Znd
H0ceFhHgNTQNpYUysWegF1rn2NBBlofdvfEAYRZA1FXtTKZvUMFBk6ol6u8najoL
bftfG7LIhrxeSZDPjU8Vr74oxETW4yo8P/c4gTe4YxPfF6w6SormKk05xhHg2Ico
tcxcAgtugxUCZOxiboLUflzq8IET9Pzkb27yNe6x+lNXLUfJtimvcjiIjrUvUIyH
ZWo5O9ksE3q3FB+FehA/dGRroiittznnFRfHf7TEoYVGYaBKt4SRcypZfa8AyEMZ
AsVQ1E/aH4eagHrLCa9iWviCqaQwT9n7HzhOAct/Ra/fsGJVU9vHPYwZl6m6viqC
eoqhUO1UqxTMkZhTFUzC/1r7uPRGMZFZoXexhJnUSTRpFRdMDMN3bjzOO0EOYPeI
vjbxQTQMxOR8rFv84uUi8k0+G/KYYZtj/M4uJQi7yUxLmBYvErYU6d41l2tco7j6
ZpMPbAzu5oPj0ggAFk6PCI0Zs/y9Mu8SXO40yivp7gmg6qhSs3MZsYKP15tYVYG0
JDMPPSd3v3GfWERiL5zkdp/sUb8mnAPh6CwQKok417HQ1GFkl8s=
=9BZV
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#983446; Package redis.
(Wed, 24 Feb 2021 11:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>.
(Wed, 24 Feb 2021 11:21:03 GMT) (full text, mbox, link).
Message #15 received at 983446@bugs.debian.org (full text, mbox, reply):
Chris Lamb wrote:
> Package: redis
> Version: 3:3.2.6-3+deb9u3
[..]
> CVE-2021-21309:
> https://groups.google.com/g/redis-db/c/fV7cI3GSgoQ/m/ocwV-MlzAgAJ
Security team, would you like an upload to stretch-security or should
this go via s-p-u? I mention that option specifically as the s-p-u route
might permit us to go from 5.0.3 → 5.0.11, fixing a number of other
fairly high priority bugs as well.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Wed, 24 Feb 2021 11:36:02 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Wed, 24 Feb 2021 11:36:03 GMT) (full text, mbox, link).
Message #20 received at 983446-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 5:6.0.11-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 983446@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 24 Feb 2021 11:05:06 +0000
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:6.0.11-1
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 983446
Changes:
redis (5:6.0.11-1) unstable; urgency=medium
.
* New upstream release, incorporating security issues. (Closes: #983446)
- Refresh patches.
Checksums-Sha1:
1fb312eeddd75a3df833e3b712e048a4c24c9f45 2264 redis_6.0.11-1.dsc
7946a3ffdecba4927a24a21656a102898762ffd0 2298399 redis_6.0.11.orig.tar.gz
ddf50f935b71872aae9bf3f6248f05ccbce82c14 28984 redis_6.0.11-1.debian.tar.xz
565e314e360d0f07690cf162ff8c9c551acb3b5a 7313 redis_6.0.11-1_amd64.buildinfo
Checksums-Sha256:
3de2e169a7fc28df59604189a64fbd1198e542dfadd1aeac7f3b6acbb6b39f7f 2264 redis_6.0.11-1.dsc
5a03491bcf93f7717ea804a85b19e59994f80eac49eedc2ff6ac498e3071d225 2298399 redis_6.0.11.orig.tar.gz
f644037007f02bdd4b5b33d3d1fddd89e55f30c9bf0a829f4c56b083cbe159fb 28984 redis_6.0.11-1.debian.tar.xz
abb221b6cf75f0473b41fd73050ddae2f27df53585d6a76c2d6e1c7ca4628b9f 7313 redis_6.0.11-1_amd64.buildinfo
Files:
a06029ab3753b6552089e28259ae712d 2264 database optional redis_6.0.11-1.dsc
61450b4af29380b64d5119218e9fa599 2298399 database optional redis_6.0.11.orig.tar.gz
2f4baf7681df37390a8e69eeba963350 28984 database optional redis_6.0.11-1.debian.tar.xz
a43315c40c5847950d34f591bdf2a29e 7313 database optional redis_6.0.11-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmA2NWMACgkQHpU+J9Qx
HljsbhAAvliG90PSmmnJocoGNaFKPR7ligAHUD8RCeIHWPUBW9Vh5Zo6T9sdAwKQ
ruF8uKZsJcAZWujKequNGNAy2qnjON5bbKFqew8GY3RjVcoZ7G9IRmpaRTLRLXMt
HK0RTMu8yC8WBYTrFtEGu9KaTIUp1VjrnYM/RkP1zCD5TF5gxpn3ZM/+FCOYUy1D
Ksx6wl1NEGDisDs3t/UTavUYWjEuS6Vpa5t4BYPm0yfbqskGot7npZw9u0XSD7cP
XZEWaQb4NbZ7noA9AA2vm9BldVGNPUiWWiwhWrpBxWfI151BzQk+8T6hkvjFmKy8
K1YcE8GXZO4qcERslOIUUKNMeMqQUl4cjh//31cNu73uXKA4SZe6ZMviaKL2VSrg
n2YbvH7CIv0Y9p6QjxtHIpSAyYYfmfWDHbnysVNbSIAUDAVeNqxfKl2SUQCneCNg
3O3btm1/s94paFTJUAKWAYlw9FyhwJty9p0XRIGDTKv4gsYEykelNb+pjcjIUG35
+MdriuhhAHZMjR7FAKc6ITHYQ/unRizvfpSth8Tu/qau2xjNpKxtK2Ihly6sRJa/
dByAN6OseRS2zQtNd+UBtev0Meziv0B/y5V+07e76srMtK5WSGfIKMMgXjcHPVys
obSvcIXrxIFadC7ofOM76tjoW0PxdOGxNIgzxN1hNVgw/NPxWeM=
=8sok
-----END PGP SIGNATURE-----
Marked as found in versions redis/5:6.0.10-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 24 Feb 2021 11:42:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#983446; Package redis.
(Wed, 24 Feb 2021 18:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz MĂĽhlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>.
(Wed, 24 Feb 2021 18:03:02 GMT) (full text, mbox, link).
Message #27 received at 983446@bugs.debian.org (full text, mbox, reply):
Am Wed, Feb 24, 2021 at 11:17:55AM +0000 schrieb Chris Lamb:
> Chris Lamb wrote:
>
> > Package: redis
> > Version: 3:3.2.6-3+deb9u3
> [..]
> > CVE-2021-21309:
> > https://groups.google.com/g/redis-db/c/fV7cI3GSgoQ/m/ocwV-MlzAgAJ
>
> Security team, would you like an upload to stretch-security or should
> this go via s-p-u? I mention that option specifically as the s-p-u route
> might permit us to go from 5.0.3 → 5.0.11, fixing a number of other
> fairly high priority bugs as well.
Hi Chris,
given that this only affects 32 bit archs and only with an inherently insecure
setup (opening up the default bulk size to such high values might impact all
kinds of stability / availability I guess) I don't think this needs a DSA.
So s-p-u or piggybacking with the next DSA seems fine to me.
Cheers,
Moritz
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Feb 25 08:03:36 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon