Redis for debian and Ubuntu is vulnerable to CVE-2022-24834
Chris Lamb
lamby at debian.org
Mon Jul 17 16:40:14 UTC 2023
Hi Reginaldo,
> I'm sending this as a heads up for you folks to pick up last-week's
> Redis bugfix if you haven't already, especially
> https://github.com/redis/redis/commit/936cfa464f371666c46bff59f7c4247d48973ec6
Thanks for the heads-up. As I understand it, this is CVE-2022-24834
which has been fixed in sid (in version 5:7.0.12-1) and experimental
(in 5:7.2-rc3-1).
However, given that it requires a) authenticated access to the Redis
instance; and then b) the ability to execute arbitrary EVAL commands,
we will not be issuing a DSA for this particular CVE:
https://security-tracker.debian.org/tracker/CVE-2022-24834
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org 🍥 chris-lamb.co.uk
`-
More information about the Ubuntu-devel-discuss
mailing list