[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108985: unblock/preapproval: redis/5:8.0.2-2



Control: tags -1 moreinfo confirmed

On 2025-07-08 14:43:54 -0700, Chris Lamb wrote:
> Package: release.debian.org
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Dear Release Team,
> 
> Please consider pre-approval for redis 5:8.0.2-2

Please go ahead and remove the moreinfo tag once the package is
available in unstable.

Cheers

> 
>   redis (5:8.0.2-2) unstable; urgency=high
> 
>     * CVE-2025-32023: An authenticated user may have used a specially-crafted
>       string to trigger a stack/heap out-of-bounds write during hyperloglog
>       operations, potentially leading to remote code execution. Installations
>       that used Redis' ACL system to restrict hyperloglog "HLL" commands are
>       unaffected by this issue. (Closes: #1108975)
>     * CVE-2025-48367: An unauthenticated connection could have caused repeated IP
>       protocol errors, leading to client starvation and ultimately become a
>       Denial of Service (DoS) attack. (Closes: #1108981)
> 
> redis (5:8.0.2-1) unstable; urgency=medium
> 
>   * New upstream security release:
> 
>     - CVE-2025-27151: Fix an stack-based buffer overflow in redis-check-aof
>       caused by the use of memcpy with strlen(filepath) when copying a
>       user-supplied file path into a fixed-size stack buffer. This allowed an
>       attacker to overflow the stack and potentially achieve arbitrary code
>       execution. (Closes: #1106822)
> 
>   * Update debian/watch to consider 8.x versions again after the recent
>     licensing change.
> 
>  -- Chris Lamb <lamby@debian.org>  Fri, 30 May 2025 12:05:58 -0700
> 
> 
> The full debdiff is attached.
> 
> 
> Regards,
> 
> -- 
>       ,''`.
>      : :'  :     Chris Lamb
>      `. `'`      lamby@debian.org / chris-lamb.co.uk
>        `-
> 
> 



-- 
Sebastian Ramacher


Reply to: