Your message dated Sat, 17 May 2025 09:37:58 +0000
with message-id <[email protected]>
and subject line Close 1105008
has caused the Debian Bug report #1105008,
regarding bookworm-pu: package redis/5:7.0.15-1~deb12u4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1105008: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105008
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], Chris Lamb <[email protected]>
* CVE-2025-21605: Limit output buffer for unauthenticated clients
(Closes: #1104010)
Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
diffstat for redis-7.0.15 redis-7.0.15
changelog | 8
+
patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch | 60
++++++++++
patches/series | 1
3 files changed, 69 insertions(+)
diff -Nru redis-7.0.15/debian/changelog redis-7.0.15/debian/changelog
--- redis-7.0.15/debian/changelog 2025-01-19 12:41:08.000000000 +0200
+++ redis-7.0.15/debian/changelog 2025-05-09 19:15:20.000000000 +0300
@@ -1,3 +1,11 @@
+redis (5:7.0.15-1~deb12u4) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-21605: Limit output buffer for unauthenticated clients
+ (Closes: #1104010)
+
+ -- Adrian Bunk <[email protected]> Fri, 09 May 2025 19:15:20 +0300
+
redis (5:7.0.15-1~deb12u3) bookworm-security; urgency=medium
* Non-maintainer upload.
diff -Nru
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
---
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
1970-01-01 02:00:00.000000000 +0200
+++
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
2025-05-09 19:14:31.000000000 +0300
@@ -0,0 +1,60 @@
+From 81f549f61799175bca3b126f749a8891832dd187 Mon Sep 17 00:00:00 2001
+From: YaacovHazan <[email protected]>
+Date: Wed, 23 Apr 2025 08:09:40 +0000
+Subject: Limiting output buffer for unauthenticated client (CVE-2025-21605)
+
+For unauthenticated clients the output buffer is limited to prevent
+them from abusing it by not reading the replies
+---
+ src/networking.c | 5 +++++
+ tests/unit/auth.tcl | 18 ++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/src/networking.c b/src/networking.c
+index 90cc64d70..386773eee 100644
+--- a/src/networking.c
++++ b/src/networking.c
+@@ -3757,6 +3757,11 @@ int checkClientOutputBufferLimits(client *c) {
+ int soft = 0, hard = 0, class;
+ unsigned long used_mem = getClientOutputBufferMemoryUsage(c);
+
++ /* For unauthenticated clients the output buffer is limited to prevent
++ * them from abusing it by not reading the replies */
++ if (used_mem > 1024 && authRequired(c))
++ return 1;
++
+ class = getClientType(c);
+ /* For the purpose of output buffer limiting, masters are handled
+ * like normal clients. */
+diff --git a/tests/unit/auth.tcl b/tests/unit/auth.tcl
+index 26d125579..24b386228 100644
+--- a/tests/unit/auth.tcl
++++ b/tests/unit/auth.tcl
+@@ -45,6 +45,24 @@ start_server {tags {"auth external:skip"} overrides
{requirepass foobar}} {
+ assert_match {*unauthenticated bulk length*} $e
+ $rr close
+ }
++
++ test {For unauthenticated clients output buffer is limited} {
++ set rr [redis [srv "host"] [srv "port"] 1 $::tls]
++ $rr SET x 5
++ catch {[$rr read]} e
++ assert_match {*NOAUTH Authentication required*} $e
++
++ # Fill the output buffer in a loop without reading it and make
++ # sure the client disconnected.
++ # Considering the socket eat some of the replies, we are testing
++ # that such client can't consume more than few MB's.
++ catch {
++ for {set j 0} {$j < 1000000} {incr j} {
++ $rr SET x 5
++ }
++ } e
++ assert_match {I/O error reading reply} $e
++ }
+ }
+
+ start_server {tags {"auth_binary_password external:skip"}} {
+--
+2.30.2
+
diff -Nru redis-7.0.15/debian/patches/series redis-7.0.15/debian/patches/series
--- redis-7.0.15/debian/patches/series 2025-01-19 00:28:16.000000000 +0200
+++ redis-7.0.15/debian/patches/series 2025-05-09 19:15:07.000000000 +0300
@@ -6,3 +6,4 @@
0001-Apply-security-fixes-for-CVEs-1113.patch
0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch
0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch
+0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
--- End Message ---
--- Begin Message ---
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
