Debian alert DLA-4240-1 (redis)
| From: | Chris Lamb <lamby@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4240-1] redis security update | |
| Date: | Sat, 12 Jul 2025 15:57:05 -0700 | |
| Message-ID: | <175235639644.478558.16742376672429250005@copycat> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4240-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb July 12, 2025 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : redis Version : 5:6.0.16-1+deb11u7 CVE IDs : CVE-2025-32023 CVE-2025-48367 Debian Bugs : 1108975 1108981 Two issues were discovered in Redis, the key-value database: * CVE-2025-32023: An authenticated user may have used a specially-crafted string to trigger a stack/heap out-of-bounds write during hyperloglog operations, potentially leading to a remote code execution vulnerability. Installations that used Redis' ACL system to restrict hyperloglog HLL commands are unaffected by this issue. * CVE-2025-48367: An unauthenticated connection could have caused repeated IP protocol errors, leading to client starvation and ultimately become a Denial of Service (DoS) attack. For Debian 11 bullseye, these problems have been fixed in version 5:6.0.16-1+deb11u7. We recommend that you upgrade your redis packages. For the detailed security status of redis please refer to its security tracker page at: https://security-tracker.debian.org/tracker/redis Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmhy1ioACgkQHpU+J9Qx HlgK0Q/9FfGRaMS75d2vuTUN7vHVW9TKD2c3Pg9Rti0cH6uAZwfFv0K8YKx0mXMm BzTsU1+dui99M3aG0djbNNXM8szsEtbgEZgj7SNLe+82u6tOMDPiAScjDh1ebSkw UVMng820KWS2sctQP5utW6vq9FVfX85DIp/HHnz3MO6gQU1tb/MZuSArKwXzyUUa AgDb5CzPG3H+dxbH696hJYp0JKKWJUM+E8GbfFK/7ICT/n/vuAR42as/pw96h+4r KMOHXzD1ESdQcsQbj5DOV7DZSITT5Ttk+zlVHVgaQiK0j7LRxCuidcHwH94m/Gfw z4/bmR7YcljSvKSAvoHWHsAr100u7DK2D76xabzjyamEyQEhfuJ5ssZX8tB7kH83 B5ij2DPRVN2nah00BIHlHor4m/66q0cD6DApEhfTQ6dc/PE2XAd3yJzJxTRXfrOu K8TTdMTnmK47KuisCbZCdWUDwjpEXGWUcb1jpDAHAqapBY1bmkTxFK2nBEkaWw1x 9sdsVhdY7dHOYnLeq8gdLCQJUmTM43QDJxz6oNVjOuRYTs/qBNhsrFZns05VG+pa K1iD+z2wnPc7gvOI/vL7LtvQIJADeIBzNlDCI3Y9/nfDLNTAXWcuk/XzB8jw2TCd +avrrl2H8oXSrCTxo5qH83IhbqTvm56uht/+5XDz1zNdB2ImPfU= =4CYM -----END PGP SIGNATURE-----