Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear Release Team,
Please consider pre-approval for redis 5:8.0.2-2:
redis (5:8.0.2-2) unstable; urgency=high
* CVE-2025-32023: An authenticated user may have used a specially-crafted
string to trigger a stack/heap out-of-bounds write during hyperloglog
operations, potentially leading to remote code execution. Installations
that used Redis' ACL system to restrict hyperloglog "HLL" commands are
unaffected by this issue. (Closes: #1108975)
* CVE-2025-48367: An unauthenticated connection could have caused repeated IP
protocol errors, leading to client starvation and ultimately become a
Denial of Service (DoS) attack. (Closes: #1108981)
redis (5:8.0.2-1) unstable; urgency=medium
* New upstream security release:
- CVE-2025-27151: Fix an stack-based buffer overflow in redis-check-aof
caused by the use of memcpy with strlen(filepath) when copying a
user-supplied file path into a fixed-size stack buffer. This allowed an
attacker to overflow the stack and potentially achieve arbitrary code
execution. (Closes: #1106822)
* Update debian/watch to consider 8.x versions again after the recent
licensing change.
-- Chris Lamb <lamby@debian.org> Fri, 30 May 2025 12:05:58 -0700
The full debdiff is attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Attachment:
debdiff
Description: Binary data