1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1104010: redis: CVE-2025-21605

    From Salvatore Bonaccorso@21:1/5 to All on Thu Apr 24 09:00:01 2025
    Source: redis
    Version: 5:7.0.15-3
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
    Control: found -1 5:7.0.15-1~deb12u3
    Control: found -1 5:7.0.15-1

    Hi,

    The following vulnerability was published for redis.

    CVE-2025-21605[0]:
    | Redis is an open source, in-memory database that persists on disk.
    | In versions starting at 2.6 and prior to 7.4.3, An unauthenticated
    | client can cause unlimited growth of output buffers, until the
    | server runs out of memory or is killed. By default, the Redis
    | configuration does not limit the output buffer of normal clients
    | (see client-output-buffer-limit). Therefore, the output buffer can
    | grow unlimitedly over time. As a result, the service is exhausted
    | and the memory is unavailable. When password authentication is
    | enabled on the Redis server, but no password is provided, the client
    | can still cause the output buffer to grow from "NOAUTH" responses
    | until the system will run out of memory. This issue has been patched
    | in version 7.4.3. An additional workaround to mitigate this problem
    | without patching the redis-server executable is to block access to
    | prevent unauthenticated users from connecting to Redis. This can be
    | done in different ways. Either using network access control tools
    | like firewalls, iptables, security groups, etc, or enabling TLS and
    | requiring users to authenticate using client side certificates.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-21605
    https://www.cve.org/CVERecord?id=CVE-2025-21605
    [1] https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Fri May 9 23:10:01 2025
    This is a multi-part message in MIME format...

    Your message dated Fri, 09 May 2025 21:06:02 +0000
    with message-id <E1uDUuw-009k7b-8G@fasolo.debian.org>
    and subject line Bug#1104010: fixed in redis 5:7.0.15-3.1
    has caused the Debian Bug report #1104010,
    regarding redis: CVE-2025-21605
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1104010: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104010
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 24 Apr 2025 06:49:21 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-109.3 required=4.0 tests=BAYES_00,DKIMWL_WL_HIGH,
    DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FOURLA,FROMDEVELOPER,
    SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST,
    USER_IN_DKIM_WHITELIST,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 26; hammy, 150; neutral, 111; spammy,
    0. spammytokens:
    hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin,
    0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311,
    0.000-+--H*RT:311, 0.000-+--H*RT:108
    Return-path: <carnil@debian.org>
    Received: from stravinsky.debian.org ([2001:41b8:202:deb::3
  • From Debian Bug Tracking System@21:1/5 to All on Sat May 10 19:30:02 2025
    This is a multi-part message in MIME format...

    Your message dated Sat, 10 May 2025 17:17:10 +0000
    with message-id <E1uDnp0-00Dcnl-Dv@fasolo.debian.org>
    and subject line Bug#1104010: fixed in redis 5:7.0.15-1~deb12u4
    has caused the Debian Bug report #1104010,
    regarding redis: CVE-2025-21605
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1104010: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104010
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 24 Apr 2025 06:49:21 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-109.3 required=4.0 tests=BAYES_00,DKIMWL_WL_HIGH,
    DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FOURLA,FROMDEVELOPER,
    SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST,
    USER_IN_DKIM_WHITELIST,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 26; hammy, 150; neutral, 111; spammy,
    0. spammytokens:
    hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin,
    0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311,
    0.000-+--H*RT:311, 0.000-+--H*RT:108
    Return-path: <carnil@debian.org>
    Received: from stravinsky.debian.org ([2001:41b8:202:deb::3