Redis for debian and Ubuntu is vulnerable to CVE-2022-24834
Reginaldo Silva
reginaldo at ubercomp.com
Mon Jul 17 17:27:26 UTC 2023
Cool.
TIL that I should really be testing these against sid.
Cheers,
Reginaldo
On Mon, Jul 17, 2023 at 1:40 PM Chris Lamb <lamby at debian.org> wrote:
>
> Hi Reginaldo,
>
> > I'm sending this as a heads up for you folks to pick up last-week's
> > Redis bugfix if you haven't already, especially
> > https://github.com/redis/redis/commit/936cfa464f371666c46bff59f7c4247d48973ec6
>
> Thanks for the heads-up. As I understand it, this is CVE-2022-24834
> which has been fixed in sid (in version 5:7.0.12-1) and experimental
> (in 5:7.2-rc3-1).
>
> However, given that it requires a) authenticated access to the Redis
> instance; and then b) the ability to execute arbitrary EVAL commands,
> we will not be issuing a DSA for this particular CVE:
>
> https://security-tracker.debian.org/tracker/CVE-2022-24834
>
>
> Regards,
>
> --
> ,''`.
> : :' : Chris Lamb
> `. `'` lamby at debian.org 🍥 chris-lamb.co.uk
> `-
More information about the Ubuntu-devel-discuss
mailing list