[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1105008: bookworm-pu: package redis/5:7.0.15-1~deb12u4

Control: tags -1 - moreinfo

Hi Adrian,

On Fri, May 09, 2025 at 11:57:29PM +0300, Adrian Bunk wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm moreinfo
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: security@debian.org, Chris Lamb <lamby@debian.org>
> 
>   * CVE-2025-21605: Limit output buffer for unauthenticated clients
>     (Closes: #1104010)
> 
> Tagged moreinfo, as question to the security team whether they want
> this in pu or as DSA.

I would argue that *could* warrant a DSA, but with the following
argument that the point release is just right around the corner: if
you manage to upload this this weekend in time for the point release
then let's do a point release update. While it might warrant a DSA
redis server installations are ideally with restricted access by
addtitional boundaries.

If we get to miss the window, then please come back to us and we can
pick it up via DSA.

The former has the advantage that we can batch the update together
with other things pending in point release.

Regards,
Salvatore
Reply to: