-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 17 Jun 2022 10:09:07 +0100 Source: redis Built-For-Profiles: nocheck Architecture: source Version: 5:7.0.1-4 Distribution: unstable Urgency: high Maintainer: Chris Lamb <lamby@debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 977852 981000 982122 983446 988045 989351 1005787 1011187 1012658 Changes: redis (5:7.0.1-4) unstable; urgency=medium . * Upload 7.x branch to unstable. * Update gbp.conf. . redis (5:7.0.1-3) experimental; urgency=medium . * Fix crash when systemd's ProcSubset=pid. /proc/sys/vm/overcommit_memory was inaccessible and a log warning message was incorrectly constructed. * Add missing CPPFLAGS when building hdr_histogram. * Update Lintian overrides: - Ignore maintainer-manual-page warnings. - Ignore very-long-line-length-in-source-file warnings. * Update my entry in debian/copyright. * Update and renumber patches. . redis (5:7.0.1-2) experimental; urgency=medium . * Drop support (in patches, etc.) for using the systemwide hiredis and Lua, reverting to using the built-in cjson (etc.). (Closes: #1012658) * Add an internal timeout for the cluster tests to prevent FTBFS. (Closes: #1011187) * Drop a duplicate comment in debian/rules. . redis (5:7.0.1-1) experimental; urgency=medium . * New upstream release. * Refresh patches. . redis (5:7.0.0-1) experimental; urgency=medium . * New upstream release. - Disable, hopefully temporarily, the use of the systemwide Lua due to Redis' fork gaining security/hardening features (eg. lua_enablereadonlytable). - Refresh patches. . redis (5:7.0~rc3-1) experimental; urgency=medium . * New upstream release. - Refresh patches. . redis (5:7.0~rc2-2) experimental; urgency=high . * CVE-2022-0543: Prevent a Debian-specific Lua sandbox escape vulnerability. . This vulnerability existed because the Lua library in Debian is provided as a dynamic library. A "package" variable was automatically populated that in turn permitted access to arbitrary Lua functionality. As this extended to, for example, the "execute" function from the "os" module, an attacker with the ability to execute arbitrary Lua code could potentially execute arbitrary shell commands. . Thanks to Reginaldo Silva <https://www.ubercomp.com> for discovering and reporting this issue. (Closes: #1005787) . redis (5:7.0~rc2-1) experimental; urgency=medium . * New upstream RC release. - Refresh patches. . redis (5:7.0~rc1-1) experimental; urgency=medium . * New upstream 7.x release candidate. * Refresh patches. * Set some DEP-3 forwarded headers. . redis (5:6.2.6-1) experimental; urgency=medium . * New upstream security release: . - CVE-2021-32762: Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on some older and less common platforms. . - CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value. . - CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections. . - CVE-2021-32672: Random heap reading issue with Lua Debugger. . - CVE-2021-32628: Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value. . - CVE-2021-32627: Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for proto-max-bulk-len and client-query-buffer-limit. . - CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow. . - CVE-2021-41099: Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured to a non-default, very large value. . * Refresh patches. * Bump Standards-Version to 4.6.0. . redis (5:6.2.5-4) experimental; urgency=medium . * Use /run instead of /var/run for PID and UNIX socket files. Thanks to @MichaIng-guest for the patch. (Closes: lamby/pkg-redis!5) . redis (5:6.2.5-3) experimental; urgency=medium . * Skip OOM-related tests on incompatible platforms. (Closes: #982122) . redis (5:6.2.5-2) experimental; urgency=medium . * Explicitly specify USE_JEMALLOC to override upstream's detection of ARM systems. This was affecting reproducibility as the aarch64 kernel flavour was using Jemalloc whilst armv7l was not. * Increase the verbosity of logging when testing. (Re: #991476) . redis (5:6.2.5-1) experimental; urgency=medium . * New upstream security release: - CVE-2021-32761: Integer overflow issues with BITFIELD command on 32-bit systems. * Bump Standards-Version to 4.5.1. . redis (5:6.2.4-1) experimental; urgency=medium . * CVE-2021-32625: Fix a vulnerability in the STRALGO LCS command. (Closes: #989351) * Refresh patches. . redis (5:6.2.3-1) experimental; urgency=medium . * New upstream security release: - CVE-2021-29477: Vulnerability in the STRALGO LCS command. - CVE-2021-29478: Vulnerability in the COPY command for large intsets. (Closes: #988045) * Refresh patches. . redis (5:6.2.2-1) experimental; urgency=medium . * New upstream release. * Apply wrap-and-sort -sa. * Refresh patches. . redis (5:6.2.1-1) experimental; urgency=medium . * New upstream release. . redis (5:6.2.0-1) experimental; urgency=medium . * New upstream release, incorporating some security fixes. (Closes: 983446) * Refresh patches. . redis (5:6.2~rc3-1) experimental; urgency=medium . * New upstream RC release. - Refresh patches. . redis (5:6.2~rc2-2) experimental; urgency=medium . * Also remove the /etc/redis directory in purge. * Allow /etc/redis to be rewritten. Thanks to Yossi Gottlieb for the patch. (Closes: #981000) . redis (5:6.2~rc2-1) experimental; urgency=medium . * New upstream release. * Refresh patches. . redis (5:6.2~rc1-3) experimental; urgency=medium . * Specify "--supervised systemd" now that we specify "Type=notify" to prevent failure under systemd. Thanks to Michael Prokop for the report. . redis (5:6.2~rc1-2) experimental; urgency=medium . [ Michael Prokop ] * Enable systemd support by compiling against libsystemd-dev. (Closes: #977852) . [ Chris Lamb ] * Use Type=notify to use systemd supervisor when generating our systemd service files. * Explicitly request systemd support when building the package. . redis (5:6.2~rc1-1) experimental; urgency=medium . * New upstream RC release. - Update patches. * Bump Standards-Version to 4.5.1. Checksums-Sha1: 7f7409c42deadaa07d227b2049abaed94a7073de 2266 redis_7.0.1-4.dsc c60ad61ab13ab1ed9d2488c416835625deb1c836 27936 redis_7.0.1-4.debian.tar.xz 7b230149d690c614e46866fd7ac58e980d231cbd 7391 redis_7.0.1-4_amd64.buildinfo Checksums-Sha256: b0376e296ee104a3d5c68ca77c0c800eb271d3a55be80eb2b7dca7e064b0adf3 2266 redis_7.0.1-4.dsc 99cc0886fd636d462b10d02e84006bcd439528da20493503377a188ce5f23547 27936 redis_7.0.1-4.debian.tar.xz 9d51799bfcd3d9e9fe7ecba648e4cc91fb65ad08469ff6b7c3fb88138e80344a 7391 redis_7.0.1-4_amd64.buildinfo Files: 3641c22a323ea16796841f83fa27046f 2266 database optional redis_7.0.1-4.dsc 569b43e4b99669b6911c5b4c09bd779b 27936 database optional redis_7.0.1-4.debian.tar.xz a592befb1c55f6861764f64bc181a6b5 7391 database optional redis_7.0.1-4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmKsRi8ACgkQHpU+J9Qx HlhnPxAAuqM0zx4Fgs3U6wJXZUgmw4T/Iv1zBgLWJk/tY/pOvQA9jkQcTAxxRiON gjh2Rq+Be7o5vL2Y/sDGlKwWlUWmCc4jx6pAkvK1xucKvdJ2WujdjsyoEwHTYpPQ 8/Dj8OS863maj++BPiLWSP95IVOTwl4TlioZkqFPgQruefd55qWidfVydbhqg7Hu Fi4gDj8BlEPl53EXxERjCFJIYuXn7Cv2LUN0MRDKBPGddIKugy15YzAdhm2urngL GwyKIXIni3xT4Aklw18PUzAkCD2rqbu6MwASaOKuekQDPc6+0Mg4YUegMeOT1zEr 7OW2vfyf8xdm99WnDPIla3sCPDGfxsQD9mwcxZdy8QfoGs0WoAZtjrXsoJ16YDPw 9PayLJ+y0QrEWn13M7vNuYB6SKNVheEm3fq1bHpTZytzXLjc8WdS/cpRwW7mNVZP s+HPNmnZ1fdUpShjzMc6QamoAkVlLdSfmjlXVQbijHwrmIihv10YBYnDsToTdqnn 8htW6JRaiSsOkR47PJwHMrL6VEEu8uA2iVxiYJs+2XorZ4t1q5U+7VDQsVnahoHj 9geW8d2bl+hN4SI0MZhlzliirDKJpjLPOBig+h3jKS3B+bEp8TrVAfKKcrOw6ZMG Wd/PohJsT3MuESZnp6TxP2bLxFBc5IaQvYxMuSu+VV0fQ+mmRS4= =4wjg -----END PGP SIGNATURE-----
