redis: CVE-2023-45145

Debian Bug report logs - #1054225
redis: CVE-2023-45145

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: redis: CVE-2023-45145

Date: Thu, 19 Oct 2023 15:55:41 +0200

Source: redis
Version: 5:7.0.13-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for redis.

CVE-2023-45145[0]:
| Redis is an in-memory database that persists on disk. On startup,
| Redis begins listening on a Unix socket before adjusting its
| permissions to the user-provided configuration. If a permissive
| umask(2) is used, this creates a race condition that enables, during
| a short period of time, another process to establish an otherwise
| unauthorized connection. This problem has existed since Redis
| 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2,
| 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to
| upgrade, it is possible to work around the problem by disabling Unix
| sockets, starting Redis with a restrictive umask, or storing the
| Unix socket file in a protected directory.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-45145
    https://www.cve.org/CVERecord?id=CVE-2023-45145
[1] https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx
[2] https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 1054225-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1054225-close@bugs.debian.org

Subject: Bug#1054225: fixed in redis 5:7.0.14-1

Date: Thu, 19 Oct 2023 15:06:30 +0000

Source: redis
Source-Version: 5:7.0.14-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1054225@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 19 Oct 2023 15:50:56 +0100
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.14-1
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1054225
Changes:
 redis (5:7.0.14-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2023-45145: On startup, Redis began listening on a Unix socket before
       adjusting its permissions to the user-provided configuration. If a
       permissive umask(2) was used, this created a race condition that enabled,
       during a short period of time, another process to establish an otherwise
       unauthorized connection. (Closes: #1054225)
 .
   * Refresh patches.
Checksums-Sha1:
 f25b3dc8261c66d0b0634a2b1b332296daac4d8b 2273 redis_7.0.14-1.dsc
 dc3f0927bbb91be9c7f9b183d1fe07e88524db3d 3025790 redis_7.0.14.orig.tar.gz
 07d73689815217b6611a2f0fb191ade23a941edc 28908 redis_7.0.14-1.debian.tar.xz
 522c8467bbfee2f87e15a9d951e61a4756451a7e 7494 redis_7.0.14-1_amd64.buildinfo
Checksums-Sha256:
 c041f476b815ece1fd32698943e8df13f7e7d5d448cb90888c3a6e6e0d1fad60 2273 redis_7.0.14-1.dsc
 2fd5809a5139abad31c76dd723d610e4a8521272887008bafdbd507de50a2bdb 3025790 redis_7.0.14.orig.tar.gz
 ca5100ebd7364029555879fcf64e568698cf84bc3a0b17f32d47a2daa836a6da 28908 redis_7.0.14-1.debian.tar.xz
 5fdf9f3da61089f03ccff62f9ef0a6eddc78cc9fa4a14a41f25606c846c15ad0 7494 redis_7.0.14-1_amd64.buildinfo
Files:
 bc803bf180a1910464b049cde315e141 2273 database optional redis_7.0.14-1.dsc
 e014c1863b5c920aeb9d831715d9d993 3025790 database optional redis_7.0.14.orig.tar.gz
 7e814373d5500be3267c834c7ae0b83e 28908 database optional redis_7.0.14-1.debian.tar.xz
 e4abf5610f7bd5e0e61edce83f2d331b 7494 database optional redis_7.0.14-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmUxQ6kACgkQHpU+J9Qx
Hlihqw/+KMF9kqVc2Ss6hy4oQwo7K6jWUmQ3dV2AI6hIrvHy3C9X4ELqdyn69q41
O2qfFlG9faVRL6DnOE1srk4ArlaMbnJM8aRBRCfTTbnargWJJ8fuyICOiX48i8v8
Fkwfc8f2YdSTQeohY4gt7ZTcYxXps2n1pTMz22IbuYvmiu6S9KyYSC1zljlYszWt
oUQsCLOjxsvrgB0hWnT/KxUR/+vCpOGp/zflUhBUMieiAg5n1yqVv1T7hXJgVe0i
qWaGFZdC7wq8CoCrqY7Zvq472ffn/DD3dVg+xKivocpH2A0KAM08ZjIgMPVR1exh
XH1mIVt5iZopK17922bzt+fKnoFOug1w6z0V4OUjfzvKlKEDg/S9mcPwfa149MHb
HNh4ktglrULEb5oMf/KGb/C6iYK6ExmvNVknz46Ji+icSKemo6IhZvxTPHKVfRc/
yHU23MJzCwxzoUeKR3ni2mJTV0HTN0bZgWmn0pMMrqS0x4aE7LBei0rDGxuJdvoC
cwuwX0bFh7TSlqMTSVPvCeuQRWdYh4qPD12VkpzztlKtw6PyVYbpyPGgKf0HhWb2
0O76AjfQ3jv25n5H7EZuZ49EsbZJogW3prsbo9a2q7jA3qFOINs5hAJ9er6dAnql
R1uK4uWJr0UD2vEQAp8lFZnnpQvk07WpPTjkjPxn4PGkIJhINT8=
=VIlj
-----END PGP SIGNATURE-----

Message #15 received at 1054225-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1054225-close@bugs.debian.org

Subject: Bug#1054225: fixed in redis 5:7.2.2-1

Date: Thu, 19 Oct 2023 15:21:16 +0000

Source: redis
Source-Version: 5:7.2.2-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1054225@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 19 Oct 2023 15:59:56 +0100
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.2.2-1
Distribution: experimental
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1054225
Changes:
 redis (5:7.2.2-1) experimental; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2023-45145: On startup, Redis began listening on a Unix socket before
       adjusting its permissions to the user-provided configuration. If a
       permissive umask(2) was used, this created a race condition that enabled,
       during a short period of time, another process to establish an otherwise
       unauthorized connection. (Closes: #1054225)
 .
   * Refresh patches.
Checksums-Sha1:
 e2fb861f3d0e94db24eb23d71e922595c438dfea 2231 redis_7.2.2-1.dsc
 d6b120d1a9f8aa9067fa7257fa45520d826b6feb 3422479 redis_7.2.2.orig.tar.gz
 0654275f21ea19098d5994e08313f44e165dc16c 28840 redis_7.2.2-1.debian.tar.xz
 1378e261f6fa6830b2f54974fda4749ee3f8e707 7478 redis_7.2.2-1_amd64.buildinfo
Checksums-Sha256:
 961f822945bba51a9a3b9eb99d11a18df0dac241f1d3746d29b7cd7629b86329 2231 redis_7.2.2-1.dsc
 0eca4e7aa16f5f411242a2e082863dbb266c0263141fdfd571302b02adf62594 3422479 redis_7.2.2.orig.tar.gz
 f44c8c92a04edf7eb7ef2a786f4e2efa3881948ad546af5e6c37b99c573417ba 28840 redis_7.2.2-1.debian.tar.xz
 d8894c920db0fdd140f64ae9d1b91e996216bde3a494d8060a64d89f63fdb81a 7478 redis_7.2.2-1_amd64.buildinfo
Files:
 954e730844f3f7f91d5b8d17bb2eced8 2231 database optional redis_7.2.2-1.dsc
 ef1793d5f9c4b9b33b05d66d57a9c07e 3422479 database optional redis_7.2.2.orig.tar.gz
 f8e6ae8ab301285cd9083134e638ec9b 28840 database optional redis_7.2.2-1.debian.tar.xz
 48ab8f8e0ae4dd2b8fca00af313cfd67 7478 database optional redis_7.2.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmUxRycACgkQHpU+J9Qx
HliTSw//cwmcQnlINEvgaTOx80WoxQ/8kLZiu/QexkTwnlifr7o0I7pGuToHu1GA
qsoiP3XVHk1EKAHNbGaBJYXOSqsWyLMKDAOHcuhgWUq5RES4NZyeyWSChroF4ZFC
5Xo/uIIcJtWH0H6iO0+1A7/XZRv3iPfPseY//dsJslt0aUM+uMYv7fcc1j73xeFo
TdiyfBFnoQsg8lrsi4PBO/Q2SpE/PnROyoEMJ9xqfob+azcB+8taKcsyxv5s++tY
usSu40P9ZcMzGpzpDsiUjs6yW4mTJeICMeBP2QqVJjngNO5XFR83uXfMgzgYPX7R
rtnwvR8CI8gIMstDjKq96++2IfKjeNZw6nwg+g4187zXVlUu7FgpgZD+WBTk7QG+
VrGvg4Hz8vLj8GYPpOIhldclLmnWUk9JDy5Ga9UiPptsRXtUagGWknnpjStQoLTB
0DnX8VkdYddHNUdRhRDBCELr8XEBGLNn/x+Nkh8BXS3oS0doArCX2gO9O8nel1K0
ueKUlC9bIYF7Pp0ySxFwd9GlztHJBaW26hvK4nqz6ldcq/P1q5RyCjWrGhfQq9gD
WaLLsV1uI+JCIflqLS/JEBGSAMYCEvxFg+vNgdL2jenVTPZe+v3XtaMkxm9T8iRA
3dlfurBuCgGJK+AejcMJznfmw1PjkODpA59DPJn5I7TVLRBaU9o=
=XqaQ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.