Fedora has issued an advisory on October 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EMP3URK6CE4LGQZ7V2GD23UVMTFM7K46/ Debian has some patches for those issues: https://sources.debian.org/data/main/r/redis/5%3A7.0.15-2/debian/patches/0005-CVE-2024-31227.patch https://sources.debian.org/data/main/r/redis/5%3A7.0.15-2/debian/patches/0006-CVE-2024-31228.patch https://sources.debian.org/data/main/r/redis/5%3A7.0.15-2/debian/patches/0007-CVE-2024-31449.patch
Source RPM: (none) => redis-7.0.14-1.mga9.src.rpmStatus comment: (none) => Patches available from DebianCVE: (none) => CVE-2024-31227, CVE-2024-31228, CVE-2024-31449
@ Colin Assigning to you, because you are the registered maintainer. Can you please give this package to nobody? Of course, if you want to come back instead, that would be much better :-þ CC'ing daviddavid, who was the most recent one to touch redis in Cauldron, and kekepower, who was the most recent one to touch it in Mageia 9
Assignee: bugsquad => mageiaCC: (none) => geiger.david68210, marja11, smelror
Reassigning to pkg-bugs@ml, this package should be released soon
Assignee: mageia => pkg-bugs
Suggested advisory: ======================== The updated package fixes security vulnerabilities: An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. (CVE-2024-31227) Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. (CVE-2024-31228) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. (CVE-2024-31449) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EMP3URK6CE4LGQZ7V2GD23UVMTFM7K46/ ======================== Updated package in core/updates_testing: ======================== redis-7.0.14-1.1.mga9 from SRPM: redis-7.0.14-1.1.mga9.src.rpm
Status comment: Patches available from Debian => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP--Pavillion No installation issues Ref bug 32406 Comment 5 for testing # systemctl start redis # systemctl -l status redis ● redis.service - Redis persistent key-value database Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; preset: disabled) Drop-In: /usr/lib/systemd/system/redis.service.d └─limit.conf Active: active (running) since Sat 2024-10-26 11:40:39 CEST; 16s ago Main PID: 125956 (redis-server) Tasks: 5 (limit: 4473) Memory: 2.4M CPU: 95ms CGroup: /system.slice/redis.service └─125956 "/usr/bin/redis-server 127.0.0.1:6379" Oct 26 11:40:39 mach4.hviaene.thuis systemd[1]: Started redis.service. Good enough, let go.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0340.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED