Redis for debian and Ubuntu is vulnerable to CVE-2022-24834

Chris Lamb lamby at debian.org
Mon Jul 17 16:40:14 UTC 2023


Hi Reginaldo,

> I'm sending this as a heads up for you folks to pick up last-week's
> Redis bugfix if you haven't already, especially
> https://github.com/redis/redis/commit/936cfa464f371666c46bff59f7c4247d48973ec6

Thanks for the heads-up. As I understand it, this is CVE-2022-24834
which has been fixed in sid (in version 5:7.0.12-1) and experimental
(in 5:7.2-rc3-1).

However, given that it requires a) authenticated access to the Redis
instance; and then b) the ability to execute arbitrary EVAL commands,
we will not be issuing a DSA for this particular CVE:

  https://security-tracker.debian.org/tracker/CVE-2022-24834


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org 🍥 chris-lamb.co.uk
       `-



More information about the Ubuntu-devel-discuss mailing list