-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3885-1 [email protected] https://www.debian.org/lts/security/ Chris Lamb September 10, 2024 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : redis Version : 5:6.0.16-1+deb11u3 CVE IDs : CVE-2023-45145 CVE-2023-28856 CVE-2023-25155 CVE-2022-36021 CVE-2022-24834 Debian Bugs : 1032279 1034613 1054225 It was discovered that there were a number of issues in Redis, a popular key-value database: * CVE-2023-45145: On startup, Redis began listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) was used, this created a race condition that enabled, during a short period of time, another process to establish an otherwise unauthorized connection. * CVE-2023-28856: Authenticated users could have used the HINCRBYFLOAT command to create an invalid hash field that would have crashed the Redis server on access. * CVE-2023-25155: Authenticated users issuing specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. * CVE-2022-36021: Authenticated users can use string matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. * CVE-2022-24834: A specially-crafted Lua script executing in Redis could have triggered a heap overflow in the cjson and cmsgpack libraries and result in heap corruption and potentially remote code execution. For Debian 11 bullseye, these problems have been fixed in version 5:6.0.16-1+deb11u3. We recommend that you upgrade your redis packages. For the detailed security status of redis please refer to its security tracker page at: https://security-tracker.debian.org/tracker/redis Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmbgL/0ACgkQHpU+J9Qx HlhwUA/6A5KgIlV/X2PfoGWo7MnbLFK3+EIi2L679GnXS49VMnbSWlmdCIRuDK98 JO3zgPeprY6V1fAMINz+nqGZMm14lVhB2vLRJhpZ/WXy+hyOe7Bo/EZQYmKUxSvA /2TVgRavx/HocOxV1RjEawZ6uMK8+lCkMDnzZRJ4KThQsS485lHR6Z6Rt+rzLDQR tO8Qr25xkBp+hs/t1OXt6SSdf3ulYcvy0DfzGlLLIO3NeGB61xipOniRXr8Yg0so 8Hlr6mxZrp0NuPXdHMEvDUKy0vMJnIOH0GlUe6i2OYlqoPfCa/jFaqqPGFOXV/9k mK3Mx1XX6FdejpY36tqctrjo9Wdje0ZugxYCI/QXigjwp4hwEvCTYHgN5bLeNobK DmCNHZL9iiC64mY1VfmQL6Czz9UfPlLTD6Pz2YYd6Wg+e7dsEBp/8DlkJIzaFtmN qzbX75xPEBHb1h19BYNDry2jeDmnDym/WXZ2EO16kNNlfqWr8SVzbocHnff/0Oos xD427HNbjzx36ZT53l9AujBraGsBaNyE5xWmrgUBuYwVP0XEnijdw8+3vKfAEiGZ Qesf9nBJfwF5PqGqQt/ZkEor3bf5PEq1vAUL0Mc2W3914uZfbNtn3NcIJzAV63Ct IK8Ozc0nra2rdS/9hFr6PxWOPHeVbg4rvvEZ5Nr412Z3oqdnwk8= =d2Jk -----END PGP SIGNATURE-----
