Your message dated Fri, 31 Mar 2023 13:11:42 +0000 with message-id <E1piEXe-00Gsde-Ay@respighi.debian.org> and subject line unblock redis has caused the Debian Bug report #1033677, regarding unblock: redis/5:7.0.10-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1033677: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033677 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock: redis/5:7.0.10-1
- From: "Chris Lamb" <lamby@debian.org>
- Date: Wed, 29 Mar 2023 23:03:42 +0100
- Message-id: <[🔎] 168012640130.1260773.2010523575929231079@copycat>
Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Dear Release Team, Please consider unblocking redis 5:7.0.10-1 for bookworm: * This would replace version 5:7.0.8-1. That is to say, it would unblock the results of six (eek) uploads from unstable into bookworm. * Although some of these versions are labelled in the Debian changelog as new upstream releases, these changes are actually a combination of upstream security releases, Debian packaging bug fixes and upstream's changes to fix regression issues that were affecting other Debian packages (eg. #1030600). * This unblock was encouraged by the security team. Indeed, my gut feeling is that this 7.0.x branch will receive upstream-blessed patches for security fixes for a little while. This would hopefully make future DSAs relatively straightforward. (I doubt it will receive specific updates for the entirety of the bookworm release, alas). Either way, it makes sense to release bookworm with the latest version of this 7.0.x branch * I've included the relevant portions of upstream's own changelog further down this email. (The full debdiff, however, is attached.) Thank you for considering this package and let me know if you need any clarification. § redis (5:7.0.10-1) unstable; urgency=medium * New upstream release. - CVE-2023-28425: Unauthenticated users could have used the MSETNX command to trigger a runtime assertion and termination of the Redis server process. (Closes: #1033340) * Refresh patches. * Bump Standards-Version. * Extend our USE_SYSTEM_JEMALLOC patch to support latest version. -- Chris Lamb <lamby@debian.org> Sat, 25 Mar 2023 13:04:38 +0000 redis (5:7.0.9-1) unstable; urgency=high * New upstream security release: - CVE-2023-25155: Authenticated users issuing specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Closes: #1032279) - CVE-2022-36021: Authenticated users can use string matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. * Refresh patches. * Extend our USE_SYSTEM_JEMALLOC patch to support latest version. -- Chris Lamb <lamby@debian.org> Sat, 04 Mar 2023 11:01:59 +0000 redis (5:7.0.8-4) unstable; urgency=medium * Correct "delaycompress" typo in redis-server.logrotate, not just redis-sentinel.logrotate. (Closes: #1031750) -- Chris Lamb <lamby@debian.org> Tue, 21 Feb 2023 16:48:01 -0800 redis (5:7.0.8-3) unstable; urgency=medium * Correct "delaycompress" typo. (Closes: #1031206) -- Chris Lamb <lamby@debian.org> Mon, 13 Feb 2023 08:39:23 -0800 redis (5:7.0.8-2) unstable; urgency=medium * Add delaycompess to logrotate configuration. Thanks, Marc Haber. (Closes: #1029844) -- Chris Lamb <lamby@debian.org> Mon, 30 Jan 2023 08:11:34 -0800 redis (5:7.0.8-1) unstable; urgency=high * New upstream release. <https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES> * CVE-2023-22458: Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands may have led to denial-of-service. (Closes: #1029363) * CVE-2022-35977: Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands could have driven Redis to an OOM panic. -- Chris Lamb <lamby@debian.org> Sun, 22 Jan 2023 08:46:14 -0800 § Here is the upstream changelog: ================================================================================ Redis 7.0.10 Released Mon Mar 20 16:00:00 IST 2023 ================================================================================ Upgrade urgency: SECURITY, contains fixes to security issues. Security Fixes: * (CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service Bug Fixes ========= * Large blocks of replica client output buffer may lead to psync loops and unnecessary memory usage (#11666) * Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875) * Trim excessive memory usage in stream nodes when exceeding `stream-node-max-bytes` (#11885) * Fix module RM_Call commands failing with OOM when maxmemory is changed to zero (#11319) ================================================================================ Redis 7.0.9 Released Tue Feb 28 12:00:00 IST 2023 ================================================================================ Upgrade urgency: SECURITY, contains fixes to security issues. Security Fixes: * (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. * (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. Bug Fixes ========= * Fix a crash when reaching the maximum invalidations limit of client-side tracking (#11814) * Fix a crash when SPUBLISH is used after passing the cluster-link-sendbuf-limit (#11752) * Fix possible memory corruption in FLUSHALL when a client watches more than one key (#11854) * Fix cluster inbound link keepalive time (#11785) * Flush propagation list in active-expire of writable replicas to fix an assertion (#11615) * Avoid propagating DEL of lazy expire from SCAN and RANDOMKEY as MULTI-EXEC (#11788) Performance and resource utilization improvements ================================================= * Avoid realloc to reduce size of strings when it is unneeded (#11766) * Improve CLUSTER SLOTS reply efficiency for non-continuous slots (#11745) ================================================================================ Redis 7.0.8 Released Mon Jan 16 12:00:00 IDT 2023 ================================================================================ Upgrade urgency: SECURITY, contains fixes to security issues. Security Fixes: * (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic * (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service Bug Fixes ========= * Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD, and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#11676) * Make sure that fork child doesn't do incremental rehashing (#11692) * Fix a bug where blocking commands with a sub-second timeout would block forever (#11688) * Fix sentinel issue if replica changes IP (#11590) § The full debdiff is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `-Attachment: debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
- To: 1033677-done@bugs.debian.org
- Subject: unblock redis
- From: Sebastian Ramacher <sramacher@respighi.debian.org>
- Date: Fri, 31 Mar 2023 13:11:42 +0000
- Message-id: <E1piEXe-00Gsde-Ay@respighi.debian.org>
Unblocked.
--- End Message ---