[SECURITY] [DLA 3885-1] redis security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3885-1] redis security update
From: "Chris Lamb" <lamby@debian.org>
Date: Tue, 10 Sep 2024 14:25:36 +0100
Message-id: <[🔎] 172596838318.74958.17861538618292366268@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3885-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
September 10, 2024                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : redis
Version        : 5:6.0.16-1+deb11u3
CVE IDs        : CVE-2023-45145 CVE-2023-28856 CVE-2023-25155 CVE-2022-36021 CVE-2022-24834
Debian Bugs    : 1032279 1034613 1054225

It was discovered that there were a number of issues in Redis, a popular
key-value database:

 * CVE-2023-45145: On startup, Redis began listening on a Unix
   socket before adjusting its permissions to the user-provided
   configuration. If a permissive umask(2) was used, this created a
   race condition that enabled, during a short period of time,
   another process to establish an otherwise unauthorized connection.

 * CVE-2023-28856: Authenticated users could have used the
   HINCRBYFLOAT command to create an invalid hash field that would
   have crashed the Redis server on access.

 * CVE-2023-25155: Authenticated users issuing specially crafted
   SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an
   integer overflow, resulting in a runtime assertion and termination
   of the Redis server process.

 * CVE-2022-36021: Authenticated users can use string matching
   commands (like SCAN or KEYS) with a specially crafted pattern to
   trigger a denial-of-service attack on Redis, causing it to hang
   and consume 100% CPU time.

 * CVE-2022-24834: A specially-crafted Lua script executing in Redis
   could have triggered a heap overflow in the cjson and cmsgpack
   libraries and result in heap corruption and potentially remote
   code execution.


For Debian 11 bullseye, these problems have been fixed in version
5:6.0.16-1+deb11u3.

We recommend that you upgrade your redis packages.

For the detailed security status of redis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/redis

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmbgL/0ACgkQHpU+J9Qx
HlhwUA/6A5KgIlV/X2PfoGWo7MnbLFK3+EIi2L679GnXS49VMnbSWlmdCIRuDK98
JO3zgPeprY6V1fAMINz+nqGZMm14lVhB2vLRJhpZ/WXy+hyOe7Bo/EZQYmKUxSvA
/2TVgRavx/HocOxV1RjEawZ6uMK8+lCkMDnzZRJ4KThQsS485lHR6Z6Rt+rzLDQR
tO8Qr25xkBp+hs/t1OXt6SSdf3ulYcvy0DfzGlLLIO3NeGB61xipOniRXr8Yg0so
8Hlr6mxZrp0NuPXdHMEvDUKy0vMJnIOH0GlUe6i2OYlqoPfCa/jFaqqPGFOXV/9k
mK3Mx1XX6FdejpY36tqctrjo9Wdje0ZugxYCI/QXigjwp4hwEvCTYHgN5bLeNobK
DmCNHZL9iiC64mY1VfmQL6Czz9UfPlLTD6Pz2YYd6Wg+e7dsEBp/8DlkJIzaFtmN
qzbX75xPEBHb1h19BYNDry2jeDmnDym/WXZ2EO16kNNlfqWr8SVzbocHnff/0Oos
xD427HNbjzx36ZT53l9AujBraGsBaNyE5xWmrgUBuYwVP0XEnijdw8+3vKfAEiGZ
Qesf9nBJfwF5PqGqQt/ZkEor3bf5PEq1vAUL0Mc2W3914uZfbNtn3NcIJzAV63Ct
IK8Ozc0nra2rdS/9hFr6PxWOPHeVbg4rvvEZ5Nr412Z3oqdnwk8=
=d2Jk
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3884-1] cacti security update
Next by Date: [SECURITY] [DLA 3886-1] nodejs security update
Previous by thread: [SECURITY] [DLA 3884-1] cacti security update
Next by thread: [SECURITY] [DLA 3886-1] nodejs security update
Index(es):
- Date
- Thread