-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 20 Aug 2022 08:22:24 -0700 Source: redis Binary: redis redis-sentinel redis-server redis-tools redis-tools-dbgsym Built-For-Profiles: nocheck Architecture: source amd64 all Version: 5:7.0.4-1~bpo11+1 Distribution: bullseye-backports Urgency: high Maintainer: Chris Lamb <lamby@debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: redis - Persistent key-value database with network interface (metapackage redis-sentinel - Persistent key-value database with network interface (monitoring) redis-server - Persistent key-value database with network interface redis-tools - Persistent key-value database with network interface (client) Closes: 977852 981000 982122 983446 988045 989351 1005787 1011187 1012658 1013172 Changes: redis (5:7.0.4-1~bpo11+1) bullseye-backports; urgency=medium . * Rebuild for bullseye-backports. . redis (5:7.0.4-1) unstable; urgency=high . * New upstream security release. * CVE-2022-31144: Prevent a potential heap overflow in Redis 7.0's XAUTOCLAIM command. . redis (5:7.0.3-1) unstable; urgency=medium . * New upstream release. * Refresh patches. * Bump Standards-Version to 4.6.1. . redis (5:7.0.2-2) unstable; urgency=medium . * Add /lib to allowed ExecPaths to support both usr-merged and non-usr-merged systems. Thanks to Christian Göttsche for the report. (Closes: #1013172) . redis (5:7.0.2-1) unstable; urgency=medium . * New upstream release. * Drop 0005-Fix-crash-when-systemd-ProcSubset-pid.patch; applied upstream. . redis (5:7.0.1-4) unstable; urgency=medium . * Upload 7.x branch to unstable. * Update gbp.conf. . redis (5:7.0.1-3) experimental; urgency=medium . * Fix crash when systemd's ProcSubset=pid. /proc/sys/vm/overcommit_memory was inaccessible and a log warning message was incorrectly constructed. * Add missing CPPFLAGS when building hdr_histogram. * Update Lintian overrides: - Ignore maintainer-manual-page warnings. - Ignore very-long-line-length-in-source-file warnings. * Update my entry in debian/copyright. * Update and renumber patches. . redis (5:7.0.1-2) experimental; urgency=medium . * Drop support (in patches, etc.) for using the systemwide hiredis and Lua, reverting to using the built-in cjson (etc.). (Closes: #1012658) * Add an internal timeout for the cluster tests to prevent FTBFS. (Closes: #1011187) * Drop a duplicate comment in debian/rules. . redis (5:7.0.1-1) experimental; urgency=medium . * New upstream release. * Refresh patches. . redis (5:7.0.0-1) experimental; urgency=medium . * New upstream release. - Disable, hopefully temporarily, the use of the systemwide Lua due to Redis' fork gaining security/hardening features (eg. lua_enablereadonlytable). - Refresh patches. . redis (5:7.0~rc3-1) experimental; urgency=medium . * New upstream release. - Refresh patches. . redis (5:7.0~rc2-2) experimental; urgency=high . * CVE-2022-0543: Prevent a Debian-specific Lua sandbox escape vulnerability. . This vulnerability existed because the Lua library in Debian is provided as a dynamic library. A "package" variable was automatically populated that in turn permitted access to arbitrary Lua functionality. As this extended to, for example, the "execute" function from the "os" module, an attacker with the ability to execute arbitrary Lua code could potentially execute arbitrary shell commands. . Thanks to Reginaldo Silva <https://www.ubercomp.com> for discovering and reporting this issue. (Closes: #1005787) . redis (5:7.0~rc2-1) experimental; urgency=medium . * New upstream RC release. - Refresh patches. . redis (5:7.0~rc1-1) experimental; urgency=medium . * New upstream 7.x release candidate. * Refresh patches. * Set some DEP-3 forwarded headers. . redis (5:6.2.6-1) experimental; urgency=medium . * New upstream security release: . - CVE-2021-32762: Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on some older and less common platforms. . - CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value. . - CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections. . - CVE-2021-32672: Random heap reading issue with Lua Debugger. . - CVE-2021-32628: Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value. . - CVE-2021-32627: Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for proto-max-bulk-len and client-query-buffer-limit. . - CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow. . - CVE-2021-41099: Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured to a non-default, very large value. . * Refresh patches. * Bump Standards-Version to 4.6.0. . redis (5:6.2.5-4) experimental; urgency=medium . * Use /run instead of /var/run for PID and UNIX socket files. Thanks to @MichaIng-guest for the patch. (Closes: lamby/pkg-redis!5) . redis (5:6.2.5-3) experimental; urgency=medium . * Skip OOM-related tests on incompatible platforms. (Closes: #982122) . redis (5:6.2.5-2) experimental; urgency=medium . * Explicitly specify USE_JEMALLOC to override upstream's detection of ARM systems. This was affecting reproducibility as the aarch64 kernel flavour was using Jemalloc whilst armv7l was not. * Increase the verbosity of logging when testing. (Re: #991476) . redis (5:6.2.5-1) experimental; urgency=medium . * New upstream security release: - CVE-2021-32761: Integer overflow issues with BITFIELD command on 32-bit systems. * Bump Standards-Version to 4.5.1. . redis (5:6.2.4-1) experimental; urgency=medium . * CVE-2021-32625: Fix a vulnerability in the STRALGO LCS command. (Closes: #989351) * Refresh patches. . redis (5:6.2.3-1) experimental; urgency=medium . * New upstream security release: - CVE-2021-29477: Vulnerability in the STRALGO LCS command. - CVE-2021-29478: Vulnerability in the COPY command for large intsets. (Closes: #988045) * Refresh patches. . redis (5:6.2.2-1) experimental; urgency=medium . * New upstream release. * Apply wrap-and-sort -sa. * Refresh patches. . redis (5:6.2.1-1) experimental; urgency=medium . * New upstream release. . redis (5:6.2.0-1) experimental; urgency=medium . * New upstream release, incorporating some security fixes. (Closes: 983446) * Refresh patches. . redis (5:6.2~rc3-1) experimental; urgency=medium . * New upstream RC release. - Refresh patches. . redis (5:6.2~rc2-2) experimental; urgency=medium . * Also remove the /etc/redis directory in purge. * Allow /etc/redis to be rewritten. Thanks to Yossi Gottlieb for the patch. (Closes: #981000) . redis (5:6.2~rc2-1) experimental; urgency=medium . * New upstream release. * Refresh patches. . redis (5:6.2~rc1-3) experimental; urgency=medium . * Specify "--supervised systemd" now that we specify "Type=notify" to prevent failure under systemd. Thanks to Michael Prokop for the report. . redis (5:6.2~rc1-2) experimental; urgency=medium . [ Michael Prokop ] * Enable systemd support by compiling against libsystemd-dev. (Closes: #977852) . [ Chris Lamb ] * Use Type=notify to use systemd supervisor when generating our systemd service files. * Explicitly request systemd support when building the package. . redis (5:6.2~rc1-1) experimental; urgency=medium . * New upstream RC release. - Update patches. * Bump Standards-Version to 4.5.1. Checksums-Sha1: 291cfeeaf92a64971c85a7f461599669e4baedda 2298 redis_7.0.4-1~bpo11+1.dsc 8999fa9ce69ef130164446e46bea2ff244ec1d2c 2994242 redis_7.0.4.orig.tar.gz c933f27c112cc8058973e410b9cfec20960a8491 27900 redis_7.0.4-1~bpo11+1.debian.tar.xz 3f13e126d3aa8e6bd518b7428a372918294edcf7 43016 redis-sentinel_7.0.4-1~bpo11+1_amd64.deb 29c25ef65c7b3b40bae9ebfcefbf8466a56d93a6 81844 redis-server_7.0.4-1~bpo11+1_amd64.deb 7fd5a847ccb2d31fd3453396a1ac3cc5424ffe58 2620460 redis-tools-dbgsym_7.0.4-1~bpo11+1_amd64.deb c3e881e17086daa49b59dccafc6f486097b1c3cd 991300 redis-tools_7.0.4-1~bpo11+1_amd64.deb 099839d760c98dd4516686e4b5e80bb9b4113855 34008 redis_7.0.4-1~bpo11+1_all.deb 0dc968db642dbd0b2491c5d9a58686486e6af85f 7819 redis_7.0.4-1~bpo11+1_amd64.buildinfo Checksums-Sha256: b6d430e91ba93b9f164f586270a778bf778c25cb525de493fecf9e5671a8d988 2298 redis_7.0.4-1~bpo11+1.dsc 1eeacd656e6b6e45aee3c4037dd098932979d3853220bbeb84cb35ca7ef6d2ca 2994242 redis_7.0.4.orig.tar.gz af1785e0b996de1f56e1745b3014acb04e8796e1d3c4a42a894ed6b7a8fec8f0 27900 redis_7.0.4-1~bpo11+1.debian.tar.xz fd885c02e20e47e7be4bb03ff42be03df552ea9d907b6c155cd24b3edfc8f336 43016 redis-sentinel_7.0.4-1~bpo11+1_amd64.deb 6867f37e8d0c5bf64f9f31be5fee0b7d3cf425dfcb3369b1dd464697aebdf035 81844 redis-server_7.0.4-1~bpo11+1_amd64.deb 1865df0c38f7242499bdfb83031cd5e7c7a13ffa4c1dc00da25fbd865672c9e6 2620460 redis-tools-dbgsym_7.0.4-1~bpo11+1_amd64.deb f34891733f04339ad6eea7d896e04f771f19d8e076964aa892ef14a09780e949 991300 redis-tools_7.0.4-1~bpo11+1_amd64.deb 8c8bdab5235e174c4ecabdad62231605eb7c401df0e93cbc00422a596839eb8d 34008 redis_7.0.4-1~bpo11+1_all.deb 547c75baf5e1c6a20513f59e6c98bc15fd830e51a236c50541227393a5f6efc8 7819 redis_7.0.4-1~bpo11+1_amd64.buildinfo Files: 7a22363ddd746f026cc7ce9a55fead99 2298 database optional redis_7.0.4-1~bpo11+1.dsc 3a2ce76ef8f5ca3cc6463c487f2d532c 2994242 database optional redis_7.0.4.orig.tar.gz 657894833cc9d87a6290c9ea9b91595e 27900 database optional redis_7.0.4-1~bpo11+1.debian.tar.xz d5e2d2ba41956b96c86f6cf1c6605ee8 43016 database optional redis-sentinel_7.0.4-1~bpo11+1_amd64.deb 294e157a820ecdd1bf4fd40101f0a840 81844 database optional redis-server_7.0.4-1~bpo11+1_amd64.deb 076040297be23773d692b781853a03fe 2620460 debug optional redis-tools-dbgsym_7.0.4-1~bpo11+1_amd64.deb 25566e1f0023344e61a66719b7ea57b8 991300 database optional redis-tools_7.0.4-1~bpo11+1_amd64.deb 831b8bd14f8c739f7f734ec89e46f320 34008 database optional redis_7.0.4-1~bpo11+1_all.deb 2685c72429726bb806d2546ddfb8c2fa 7819 database optional redis_7.0.4-1~bpo11+1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmMA/ecACgkQHpU+J9Qx HlgqVg/9FcRtavrSU2+G9HlSlmKqatwPYbFdZENDFs9S/QQM/E/NplDgXhs3QlWY JKCC0KxvU/98onLMBAqwfPjtuSXELsrvgLafx2oRL5vTmyRiCKxZZ/x8mt680LXA WQ7FihFycPvKPrPVIneZ60vpmCH4U0YlFTSB4aBTRwJdR0XOmChzdC0Nkfovm9cp b4YerVxeG7hlLBFxu83p1Clp2qDSNmeAf6IQNyXLXIta1Csn95rl2zxzCqn9aRUc EqsRgVuPx25yGmQgg7PcVYu31FERPKF/7Cey0hWRa2EDODMvAopEGvOQu+UU+Tsn efqnkjY+s1Bqn3XtBUVFgYpIKRu/JtxsPsEp6bRC+YD1rjBfOqGqqBH0vbUh4yoC oS6kB5q0AqvaN52abzlj1KVfeW/rL0rzpHj+nu5VrJFVo27teUJcENat9yIJSDGH 3XrNE25+ppIzH5EqnTyM4QD2nvvkdj9W5tgegRaxcXPKn5aa8cGb3ao635kVbVFr +YGSER0L6VefAKDT4QHmft/JCRas6Uw8K/vQ1+pU4LvmWlQ7yPWAsx0bI5oHAMq0 Qry5pS5iT+6zXvUTqmVmTb6QNX50BU9Opmeth3sPoxahuA7Rpr6k3Oho18vKw9kX /izR9id7uigCTTtHzJKgL2C9XWuw89/+JlQVe8GaQQtFcCOnuu8= =Yhrj -----END PGP SIGNATURE-----