1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1105008: bookworm-pu: package redis/5:7.0.15-1~deb12u4

    From Adrian Bunk@21:1/5 to All on Fri May 9 23:10:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    Tags: bookworm moreinfo
    User: release.debian.org@packages.debian.org
    Usertags: pu
    X-Debbugs-Cc: security@debian.org, Chris Lamb <lamby@debian.org>

    * CVE-2025-21605: Limit output buffer for unauthenticated clients
    (Closes: #1104010)

    Tagged moreinfo, as question to the security team whether they want
    this in pu or as DSA.

    diffstat for redis-7.0.15 redis-7.0.15

    changelog | 8 +
    patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch | 60 ++++++++++
    patches/series | 1
    3 files changed, 69 insertions(+)

    diff -Nru redis-7.0.15/debian/changelog redis-7.0.15/debian/changelog
    --- redis-7.0.15/debian/changelog 2025-01-19 12:41:08.000000000 +0200
    +++ redis-7.0.15/debian/changelog 2025-05-09 19:15:20.000000000 +0300
    @@ -1,3 +1,11 @@
    +redis (5:7.0.15-1~deb12u4) bookworm; urgency=medium
    +
    + * Non-maintainer upload.
    + * CVE-2025-21605: Limit output buffer for unauthenticated clients
    + (Closes: #1104010)
    +
    + -- Adrian Bunk <bunk@debian.org> Fri, 09 May 2025 19:15:20 +0300
    +
    redis (5:7.0.15-1~deb12u3) bookworm-security; urgency=medium

    * Non-maintainer upload.
    diff -Nru redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
    --- redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch 1970-01-01 02:00:00.000000000 +0200
    +++ redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch 2025-05-09 19:14:31.000000000 +0300
    @@ -0,0 +1,60 @@
    +From 81f549f61799175bca3b126f749a8
  • From Salvatore Bonaccorso@21:1/5 to Adrian Bunk on Sat May 10 16:20:02 2025
    XPost: linux.debian.devel.release

    Control: tags -1 - moreinfo

    Hi Adrian,

    On Fri, May 09, 2025 at 11:57:29PM +0300, Adrian Bunk wrote:
    Package: release.debian.org
    Severity: normal
    Tags: bookworm moreinfo
    User: release.debian.org@packages.debian.org
    Usertags: pu
    X-Debbugs-Cc: security@debian.org, Chris Lamb <lamby@debian.org>

    * CVE-2025-21605: Limit output buffer for unauthenticated clients
    (Closes: #1104010)

    Tagged moreinfo, as question to the security team whether they want
    this in pu or as DSA.

    I would argue that *could* warrant a DSA, but with the following
    argument that the point release is just right around the corner: if
    you manage to upload this this weekend in time for the point release
    then let's do a point release update. While it might warrant a DSA
    redis server installations are ideally with restricted access by
    addtitional boundaries.

    If we get to miss the window, then please come back to us and we can
    pick it up via DSA.

    The former has the advantage that we can batch the update together
    with other things pending in point release.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam D Barratt@21:1/5 to All on Sat May 10 19:10:01 2025
    XPost: linux.debian.devel.release

    package release.debian.org
    tags 1105008 = bookworm pending
    thanks

    Hi,

    The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

    Thanks for your contribution!

    Upload details
    ==============

    Package: redis
    Version: 7.0.15-1~deb12u4

    Explanation: fix denial of service issue [CVE-2025-21605]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)