1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1108975: redis: CVE-2025-32023

    From Salvatore Bonaccorso@21:1/5 to All on Tue Jul 8 21:40:01 2025
    Source: redis
    Version: 5:8.0.0-2
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for redis.

    CVE-2025-32023[0]:
    | Redis is an open source, in-memory database that persists on disk.
    | From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an
    | authenticated user may use a specially crafted string to trigger a
    | stack/heap out of bounds write on hyperloglog operations,
    | potentially leading to remote code execution. The bug likely affects
    | all Redis versions with hyperloglog operations implemented. This
    | vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An
    | additional workaround to mitigate the problem without patching the
    | redis-server executable is to prevent users from executing
    | hyperloglog operations. This can be done using ACL to restrict HLL
    | commands.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-32023
    https://www.cve.org/CVERecord?id=CVE-2025-32023
    [1] https://github.com/redis/redis/security/advisories/GHSA-rp2m-q4j6-gr43
    [2] https://github.com/redis/redis/commit/50188747cbfe43528d2719399a2a3c9599169445

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Lamb@21:1/5 to All on Thu Jul 10 21:40:01 2025
    Hello Security Team,

    Would you be interested in a bullseye update for redis in order to
    address the two latest CVEs?

    That would be:

    * CVE-2025-32023 (#1108975)
    * CVE-2025-48367 (#1108981)

    I'm preparing parallel updates for buster, stretch and buster, as well
    as an update for unstable (#1108985)


    Regards,

    --
    ,''`.
    : :' : Chris Lamb
    `. `'` lamby@debian.org 🍥 chris-lamb.co.uk
    `-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Sat Jul 12 20:40:01 2025
    This is a multi-part message in MIME format...

    Your message dated Sat, 12 Jul 2025 18:34:10 +0000
    with message-id <E1uaf34-00Ag1Y-4u@fasolo.debian.org>
    and subject line Bug#1108975: fixed in redis 5:8.0.2-2
    has caused the Debian Bug report #1108975,
    regarding redis: CVE-2025-32023
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1108975: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108975
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 8 Jul 2025 19:35:51 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
    (2024-03-25) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-9.5 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
    XMAILER_REPORTBUG autolearn=ham autolearn_force=no
    version=4.0.1-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 27; hammy, 150; neutral, 61; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan,
    0.000-+--H*M:reportbug
    Return-path: <carnil@debian.org>
    Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:51702 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.96)
    (envelope-from <carnil@debian.o
  • From Debian Bug Tracking System@21:1/5 to All on Sat Aug 2 19:20:02 2025
    This is a multi-part message in MIME format...

    Your message dated Sat, 02 Aug 2025 17:17:23 +0000
    with message-id <E1uiFrH-0093rj-0T@fasolo.debian.org>
    and subject line Bug#1108975: fixed in redis 5:7.0.15-1~deb12u5
    has caused the Debian Bug report #1108975,
    regarding redis: CVE-2025-32023
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1108975: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108975
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 8 Jul 2025 19:35:51 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
    (2024-03-25) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-9.5 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
    XMAILER_REPORTBUG autolearn=ham autolearn_force=no
    version=4.0.1-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 27; hammy, 150; neutral, 61; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan,
    0.000-+--H*M:reportbug
    Return-path: <carnil@debian.org>
    Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:51702 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.96)
    (envelope-from <carnil@debian.o