-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 08 Mar 2022 11:05:56 +0000 Source: redis Built-For-Profiles: nocheck Architecture: source Version: 5:7.0~rc2-2 Distribution: experimental Urgency: high Maintainer: Chris Lamb <lamby@debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1005787 Changes: redis (5:7.0~rc2-2) experimental; urgency=high . * CVE-2022-0543: Prevent a Debian-specific Lua sandbox escape vulnerability. . This vulnerability existed because the Lua library in Debian is provided as a dynamic library. A "package" variable was automatically populated that in turn permitted access to arbitrary Lua functionality. As this extended to, for example, the "execute" function from the "os" module, an attacker with the ability to execute arbitrary Lua code could potentially execute arbitrary shell commands. . Thanks to Reginaldo Silva <https://www.ubercomp.com> for discovering and reporting this issue. (Closes: #1005787) Checksums-Sha1: b6202bc4dd0d0e013d03df5f45041eb6757f76dc 2280 redis_7.0~rc2-2.dsc 3623f6961585e64fa853be59e4be444061a820cd 27976 redis_7.0~rc2-2.debian.tar.xz 2bfc35e8efbc451b2c868277606f3482f12d9df4 7427 redis_7.0~rc2-2_amd64.buildinfo Checksums-Sha256: 78fece1044f5afe956b784bf8d69c20f2fb6ee960fa707261a696c9187521000 2280 redis_7.0~rc2-2.dsc e83bc7294a67918d7eef5f71e7e7b8107109687a1398956e39a6546b6d645400 27976 redis_7.0~rc2-2.debian.tar.xz ecb739e8bafaf12fcad1bbe17b39567ea26042f0fd182478a22fa7f1f6cb8e64 7427 redis_7.0~rc2-2_amd64.buildinfo Files: 5a2035a16671cf19409df270c571c565 2280 database optional redis_7.0~rc2-2.dsc 77cb8ead85d7cfc95ca04cb516eef011 27976 database optional redis_7.0~rc2-2.debian.tar.xz 5ba5623bb3355997d4747cd099c55d51 7427 database optional redis_7.0~rc2-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmInORkACgkQHpU+J9Qx Hlj8gg//XVUyRIqKUQCtQV1hdPslFaVNb8wTpIiuuc2wQav4IPcGWdg1iALk/C98 ivkUAvSFLSXx87cRL4m73h3pKJ/OtserPp/a1EadxJQXXi0K3lE7G+rav9Gj99CF i++ThpU2/y+aAn3UOV8m0jaUGJj+OLkK9iIRLeBGXMAFI1mdoBptvLGezBdECKvF Og8LZeiXmU4f1V+6eEljyRFltfnYMdOgxWf8UGt+vTLnnSH/e+S6Pa0YH0UMQgXy uDwRs6j2Ta9CK/H+1VS7jwSI94Gy+lhtZn8EcOLEBDxQ535uy5zNmVPvXOdPE6dH GiwBfcNHXSxrWR2sHP+IsEuNWoDUxKqNXpGmGB9VrTrWgeffj200x2ccZEP6JqDk 8E/X3tPY4xsGQo7Z5umvO492vJLLA2ubWtBTI4KLRnxowzKVJF6N624gCEqVePSw j19QkrhXiZTDyBabldr2th36NzrbYrsS//uZY1khJPBB/j9lRTRmtAkY+0a282ge ZmZEyAaWs/XhDTckHHtdxdXUEU74LHl+X14asAvVJ6Kx/aP0WprJoi0ZMXdzdb+Q +ruEuoWYvvuZ4aeCQcThvICdxmZBNEL239XZLM6nJQz3aOZlZ6z89igLyYL3RxGu rte4x01G3TGKmFeztSSOj9wD6CGlJD/+U/UywoSVZULYkrJvRuo= =2MY8 -----END PGP SIGNATURE-----