Bug#1033677: unblock: redis/5:7.0.10-1

To: submit@bugs.debian.org
Subject: Bug#1033677: unblock: redis/5:7.0.10-1
From: "Chris Lamb" <lamby@debian.org>
Date: Wed, 29 Mar 2023 23:03:42 +0100
Message-id: <[🔎] 168012640130.1260773.2010523575929231079@copycat>
Reply-to: "Chris Lamb" <lamby@debian.org>, 1033677@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

Please consider unblocking redis 5:7.0.10-1 for bookworm:

* This would replace version 5:7.0.8-1. That is to say, it would
  unblock the results of six (eek) uploads from unstable into bookworm.

* Although some of these versions are labelled in the Debian changelog
  as new upstream releases, these changes are actually a combination
  of upstream security releases, Debian packaging bug fixes and
  upstream's changes to fix regression issues that were affecting
  other Debian packages (eg. #1030600).

* This unblock was encouraged by the security team. Indeed, my gut
  feeling is that this 7.0.x branch will receive upstream-blessed
  patches for security fixes for a little while. This would hopefully
  make future DSAs relatively straightforward. (I doubt it will
  receive specific updates for the entirety of the bookworm release,
  alas).  Either way, it makes sense to release bookworm with the
  latest version of this 7.0.x branch

* I've included the relevant portions of upstream's own changelog
  further down this email. (The full debdiff, however, is attached.)

Thank you for considering this package and let me know if you need
any clarification.


§



  redis (5:7.0.10-1) unstable; urgency=medium

    * New upstream release.
      - CVE-2023-28425: Unauthenticated users could have used the MSETNX command
        to trigger a runtime assertion and termination of the Redis server
        process. (Closes: #1033340)
    * Refresh patches.
    * Bump Standards-Version.
    * Extend our USE_SYSTEM_JEMALLOC patch to support latest version.

   -- Chris Lamb <lamby@debian.org>  Sat, 25 Mar 2023 13:04:38 +0000

  redis (5:7.0.9-1) unstable; urgency=high

    * New upstream security release:
       - CVE-2023-25155: Authenticated users issuing specially crafted
         `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an
         integer overflow, resulting in a runtime assertion and termination of the
         Redis server process. (Closes: #1032279)
       - CVE-2022-36021:  Authenticated users can use string matching commands
         (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a
         denial-of-service attack on Redis, causing it to hang and consume 100%
         CPU time.
    * Refresh patches.
    * Extend our USE_SYSTEM_JEMALLOC patch to support latest version.

   -- Chris Lamb <lamby@debian.org>  Sat, 04 Mar 2023 11:01:59 +0000

  redis (5:7.0.8-4) unstable; urgency=medium

    * Correct "delaycompress" typo in redis-server.logrotate, not just
      redis-sentinel.logrotate. (Closes: #1031750)

   -- Chris Lamb <lamby@debian.org>  Tue, 21 Feb 2023 16:48:01 -0800

  redis (5:7.0.8-3) unstable; urgency=medium

    * Correct "delaycompress" typo. (Closes: #1031206)

   -- Chris Lamb <lamby@debian.org>  Mon, 13 Feb 2023 08:39:23 -0800

  redis (5:7.0.8-2) unstable; urgency=medium

    * Add delaycompess to logrotate configuration. Thanks, Marc Haber.
      (Closes: #1029844)

   -- Chris Lamb <lamby@debian.org>  Mon, 30 Jan 2023 08:11:34 -0800

  redis (5:7.0.8-1) unstable; urgency=high

    * New upstream release.
      <https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES>
    * CVE-2023-22458: Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER
      commands may have led to denial-of-service. (Closes: #1029363)
    * CVE-2022-35977: Integer overflow in the Redis SETRANGE and SORT/SORT_RO
      commands could have driven Redis to an OOM panic.

   -- Chris Lamb <lamby@debian.org>  Sun, 22 Jan 2023 08:46:14 -0800

§

Here is the upstream changelog:

 ================================================================================
    Redis 7.0.10 Released Mon Mar 20 16:00:00 IST 2023
    ================================================================================
    
    Upgrade urgency: SECURITY, contains fixes to security issues.
    
    Security Fixes:
    * (CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service
    
    Bug Fixes
    =========
    
    * Large blocks of replica client output buffer may lead to psync loops and unnecessary memory usage (#11666)
    * Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875)
    * Trim excessive memory usage in stream nodes when exceeding `stream-node-max-bytes` (#11885)
    * Fix module RM_Call commands failing with OOM when maxmemory is changed to zero (#11319)
    
    ================================================================================
    Redis 7.0.9 Released Tue Feb 28 12:00:00 IST 2023
    ================================================================================
    
    Upgrade urgency: SECURITY, contains fixes to security issues.
    
    Security Fixes:
    * (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD
      commands can trigger an integer overflow, resulting in a runtime assertion
      and termination of the Redis server process.
    * (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially
      crafted pattern to trigger a denial-of-service attack on Redis, causing it to
      hang and consume 100% CPU time.
    
    Bug Fixes
    =========
    
    * Fix a crash when reaching the maximum invalidations limit of client-side tracking (#11814)
    * Fix a crash when SPUBLISH is used after passing the cluster-link-sendbuf-limit (#11752)
    * Fix possible memory corruption in FLUSHALL when a client watches more than one key (#11854)
    * Fix cluster inbound link keepalive time (#11785)
    * Flush propagation list in active-expire of writable replicas to fix an assertion (#11615)
    * Avoid propagating DEL of lazy expire from SCAN and RANDOMKEY as MULTI-EXEC (#11788)
    
    Performance and resource utilization improvements
    =================================================
    
    * Avoid realloc to reduce size of strings when it is unneeded (#11766)
    * Improve CLUSTER SLOTS reply efficiency for non-continuous slots (#11745)
    
    
    ================================================================================
    Redis 7.0.8 Released Mon Jan 16 12:00:00 IDT 2023
    ================================================================================
    
    Upgrade urgency: SECURITY, contains fixes to security issues.
    
    Security Fixes:
    * (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO
      commands can drive Redis to OOM panic
    * (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER
      commands can lead to denial-of-service
    
    Bug Fixes
    =========
    
    * Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD,
      and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#11676)
    * Make sure that fork child doesn't do incremental rehashing (#11692)
    * Fix a bug where blocking commands with a sub-second timeout would block forever (#11688)
    * Fix sentinel issue if replica changes IP (#11590)

§

The full debdiff is attached.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Attachment: debdiff
Description: Binary data

Reply to:

Follow-Ups:
- Bug#1033677: marked as done (unblock: redis/5:7.0.10-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1033674: unblock: linux/6.1.20-1
Next by Date: Re: Situation for redis for bookworm?
Previous by thread: Processed: unblock: xen/4.17.0+74-g3eac216e6e-1 (pre-approval)
Next by thread: Bug#1033677: marked as done (unblock: redis/5:7.0.10-1)
Index(es):
- Date
- Thread