Debian Bug report logs -
#1020512
redis: CVE-2022-35951
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 22 Sep 2022 14:03:02 UTC
Severity: grave
Tags: security, upstream
Found in version redis/5:7.0.4-1
Fixed in version redis/5:7.0.5-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Chris Lamb <lamby@debian.org>:
Bug#1020512; Package src:redis.
(Thu, 22 Sep 2022 14:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Chris Lamb <lamby@debian.org>.
(Thu, 22 Sep 2022 14:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: redis
Version: 5:7.0.4-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for redis.
CVE-2022-35951[0]:
| Fix heap overflow vulnerability in XAUTOCLAIM
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-35951
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35951
[1] https://github.com/redis/redis/commit/fa6815e14ea5adff93c5cd7be513c02a7c6e3f2a
Regards,
Salvatore
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Fri, 23 Sep 2022 12:03:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 23 Sep 2022 12:03:03 GMT) (full text, mbox, link).
Message #10 received at 1020512-close@bugs.debian.org (full text, mbox, reply):
Source: redis
Source-Version: 5:7.0.5-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1020512@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 23 Sep 2022 11:12:24 +0100
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.5-1
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1020512
Changes:
redis (5:7.0.5-1) unstable; urgency=medium
.
* New upstream security release:
- CVE-2022-35951: Fix a heap overflow vulnerability in XAUTOCLAIM.
Executing an XAUTOCLAIM command on a stream key in a specific state, with
a specially crafted COUNT argument may have caused an integer overflow, a
subsequent heap overflow and potentially lead to remote code execution.
(Closes: #1020512)
* Refresh patches.
* Update debian/watch.
Checksums-Sha1:
28161784db06e0dc68217b1d6286e7c069f8e185 2266 redis_7.0.5-1.dsc
77a8ae9d1ff9a09a9a6243c246443c5841287d57 2998759 redis_7.0.5.orig.tar.gz
bbbf1275ea6e73df3f1ea450401086e374fb820c 27668 redis_7.0.5-1.debian.tar.xz
2978e254c4e0cac850a91eec14f2ff15a5c91833 7492 redis_7.0.5-1_amd64.buildinfo
Checksums-Sha256:
66ca9f2116d05a4df370428e4927f19ae5c0faf6e6bee8f71e9b053cc0384557 2266 redis_7.0.5-1.dsc
40827fcaf188456ad9b3be8e27a4f403c43672b6bb6201192dc15756af6f1eae 2998759 redis_7.0.5.orig.tar.gz
bc2adb84f38df9b58e2bf8018edee25d0134d9008a4e06c7f2849d718d7e9e5e 27668 redis_7.0.5-1.debian.tar.xz
e4d9a6aa6788c8c8c1e1e272adc5687064c294a69bf3efc45445236cb8cdc166 7492 redis_7.0.5-1_amd64.buildinfo
Files:
3d58edad5cccd5e5a034687f950e4762 2266 database optional redis_7.0.5-1.dsc
f9c190c3f94cd42e7a83c12e995c4e53 2998759 database optional redis_7.0.5.orig.tar.gz
4f13228c15749667ab4e08bebeaa8997 27668 database optional redis_7.0.5-1.debian.tar.xz
6e9983a61ea2ab77071e79425d7cf4f4 7492 database optional redis_7.0.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmMth8UACgkQHpU+J9Qx
Hlgfww//SG/+XJ/ecm7Ih98bOqmG7koxKMqYByTfdQ9T4Pllhmku85vobMWy3Bjh
QlYUj/DB8EcxhcCz6MIn21r9uerALMZiSRnLNlR2d2gJZivsQtiXbM84LwlBJv8i
4JP0pS+M96+vKeo7+lwcJsmBcLko61bRNVozbIJWPKfZV9bhLACuBQtfCDlLhVo6
sMq2k+aNIPhvhsuESy04CoTgL7mxFOXFGc/mKdBj3WWLNgWSLR+5P9XewoWIfyLn
Q/AtgJy2AOX+rVkUJqHNZjBZ1jrLWIiLEeb0aUdGYXler027x7Colp6egXK5dvZ5
gTg77FBS/xmrzeBdd6hVld8OHyAajUYtgov9LJepRCD0XQQKImtgNynpMPK4VYiq
35RDjoGZVHfTFLc/7BQnAY9ijDNM0sYE957XtRBNywLVO++Ng57oBNMEObTVvGpv
HL2DK8ik3njU/9fGRJrB/+dTUASIntadQBBZ/11DWiZ/GaMGNtpyodOCqLkmIWOO
qK2VPrPS0CtSeRN6NM64SLuKO+gO4rsbj87t4BA1G8LV73iE70NiVf0mQATolYQb
bIr1XgTI5YNqcZ8I1GY7aN5LqqUOw9MKJrwh4XEhY4qI2q7MCv77tRbMt/n2lSOA
+VskxiVEu8mzUW6Nq2mDbgcIJIWHhD9nnTHBQ2SS4a01dZ6MnMQ=
=mF2q
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Sep 23 13:21:10 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon