On Thu, Jun 14, 2018 at 02:10:27PM +0100, Chris Lamb wrote:
> Chris Lamb wrote:
>
> > > redis: multiple security issues in Lua scripting
> >
> > This has now been assigned CVE-2018-11219 & CVE-2018-11218.
>
> Security team, oermission to upload the attached to
> stretch-security?
>
> redis (3:3.2.6-3+deb9u1) stretch-security; urgency=high
>
> * CVE-2018-11218, CVE-2018-11219: Backport patches to fix multiple heap
> corruption and integer overflow vulnerabilities. (Closes: #901495)
That looks fine. Please upload (with -sa as redis is new in stretch-security).
For future updates please include the git commit IDs to debian/patches and
add some context where changes were omitted compared to upstream, it makes
it much easier to review changes,
E.g. compared to the fix from the upstream 3.2 branch,
0012-Security-update-Lua-struct-package-for-security.patch misses
a few changes, but they seem like unrelated refactoring.
Did you have a chance to test this? I should be able to test this on a few
live Redis servers, but that would take a few days, so it would be helpful
to know which tests you've done so far.
Also, the Lua code copies are missing in the data/embedded-code-copies
file in the Security Tracker. deps/README.md states
**lua** is Lua 5.1 with minor changes for security and additional libraries.
so I'm wondering we can fix Redis for buster to use the system copy
of Lua? Ideally we could upstream the changes made by antirez (or ideally
he's do that himself?
Cheers,
Moritz
