XPost: linux.debian.devel.release
From: [email protected]

--62d2ab5b42d5468ab43dbca7c3f2bd7a
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Package: release.debian.org
User: [email protected]
Usertags: unblock

Dear Release Team,

Please consider pre-approval for redis 5:8.0.2-2:

redis (5:8.0.2-2) unstable; urgency=high

* CVE-2025-32023: An authenticated user may have used a specially-crafted
string to trigger a stack/heap out-of-bounds write during hyperloglog
operations, potentially leading to remote code execution. Installations
that used Redis' ACL system to restrict hyperloglog "HLL" commands are
unaffected by this issue. (Closes: #1108975)
* CVE-2025-48367: An unauthenticated connection could have caused repeated IP
protocol errors, leading to client starvation and ultimately become a
Denial of Service (DoS) attack. (Closes: #1108981)

redis (5:8.0.2-1) unstable; urgency=medium

* New upstream security release:

- CVE-2025-27151: Fix an stack-based buffer overflow in redis-check-aof
caused by the use of memcpy with strlen(filepath) when copying a
user-supplied file path into a fixed-size stack buffer. This allowed an
attacker to overflow the stack and potentially achieve arbitrary code
execution. (Closes: #1106822)

* Update debian/watch to consider 8.x versions again after the recent
licensing change.

-- Chris Lamb <[email protected]> Fri, 30 May 2025 12:05:58 -0700


The full debdiff is attached.


Regards,

--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-



--62d2ab5b42d5468ab43dbca7c3f2bd7a
Content-Disposition: attachment; filename="debdiff"
Content-Type: application/octet-stream; name="debdiff" Content-Transfer-Encoding: base64
[SoupGate killed MIME-encoded file debdiff (201566 bytes)]


--62d2ab5b42d5468ab43dbca7c3f2bd7a--

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

XPost: linux.debian.devel.release

Control: tags -1 moreinfo confirmed

On 2025-07-08 14:43:54 -0700, Chris Lamb wrote:

Package: release.debian.org
User: [email protected]
Usertags: unblock

Dear Release Team,

Please consider pre-approval for redis 5:8.0.2-2

Please go ahead and remove the moreinfo tag once the package is
available in unstable.

Cheers

redis (5:8.0.2-2) unstable; urgency=high

* CVE-2025-32023: An authenticated user may have used a specially-crafted
string to trigger a stack/heap out-of-bounds write during hyperloglog
operations, potentially leading to remote code execution. Installations
that used Redis' ACL system to restrict hyperloglog "HLL" commands are
unaffected by this issue. (Closes: #1108975)
* CVE-2025-48367: An unauthenticated connection could have caused repeated IP
protocol errors, leading to client starvation and ultimately become a
Denial of Service (DoS) attack. (Closes: #1108981)

redis (5:8.0.2-1) unstable; urgency=medium

* New upstream security release:

- CVE-2025-27151: Fix an stack-based buffer overflow in redis-check-aof
caused by the use of memcpy with strlen(filepath) when copying a
user-supplied file path into a fixed-size stack buffer. This allowed an
attacker to overflow the stack and potentially achieve arbitrary code
execution. (Closes: #1106822)

* Update debian/watch to consider 8.x versions again after the recent
licensing change.

-- Chris Lamb <[email protected]> Fri, 30 May 2025 12:05:58 -0700

The full debdiff is attached.

Regards,

--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-

--
Sebastian Ramacher

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

tags 1108985 - moreinfo
thanks

Sebastian Ramacher wrote:

Please consider pre-approval for redis 5:8.0.2-2

Please go ahead and remove the moreinfo tag once the package is
available in unstable.

Thanks. Uploaded now via Debusine [0].

[0] https://debusine.debian.net/debian/developers/work-request/120284/


--
,''`.
: :' : Chris Lamb
`. `'` [email protected] 🍥 chris-lamb.co.uk
`-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release
To: [email protected]

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------3B25nlcvexUQdpUgI9WAVWUi
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

SGkgQ2hyaXMsDQoNCk9uIDEyLTA3LTIwMjUgMjA6MTUsIENocmlzIExhbWIgd3JvdGU6DQo+ IFRoYW5rcy4gVXBsb2FkZWQgbm93IHZpYSBEZWJ1c2luZSBbMF0uDQo+IA0KPiAgICBbMF0g aHR0cHM6Ly9kZWJ1c2luZS5kZWJpYW4ubmV0L2RlYmlhbi9kZXZlbG9wZXJzL3dvcmstcmVx dWVzdC8xMjAyODQvDQoNCg0KRGVidXNpbmUgc2hvd3MgdGhhdCB0aGUgYXV0b3BrZ3Rlc3Qg b2YgcHl0aG9uLXJlZGlzIGZhaWxzIHdpdGggdGhlIG5ldyANCnZlcnNpb24uIFRoaXMgcmVn cmVzc2lvbiBhbHNvIGhhcHBlbnMgYWZ0ZXIgeW91ciB1cGxvYWQgdG8gdW5zdGFibGUgYW5k IA0KaXQgaXMgYmxvY2tpbmcgdGhlIG1pZ3JhdGlvbi4gQ2FuIHlvdSBwbGVhc2UgYXNzZXMg dGhlIHNpdHVhdGlvbiBhbmQgDQpyZXBvcnQgYmFjaz8gVGhlIHRlc3QgZmFpbHMgd2l0aCBM T0xXVVQgaW4gdGhlIGVycm9yIG1lc3NhZ2UgYW5kIEkgYWxzbyANCnNlZSBMT0xXVVQgaW1w cm92ZW1lbnRzIG1lbnRpb25lZCBpbiB0aGUgcmVkaXMgZGlmZi4gSXMgdGhpcyB1bmludGVu ZGVkIA0KYmVoYXZpb3IgY2hhbmdlPw0KDQpQYXVsDQoNCg==

--------------3B25nlcvexUQdpUgI9WAVWUi--

-----BEGIN PGP SIGNATURE-----

wsC7BAABCABvBYJoc17nCRCcXJnrBb11CkcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmcE33uJWcGUdC4O7hEKq33B5mNkgi4EzRUp2FB0ICy0 QBYhBFi2bUhza+k7BS3mcpxcmesFvXUKAABjBwgAiaP0Ww+H93DY6DHcQ76T4l/6 +iZG42Mx6tCsORWpNtVbhqyFdSDrWNIl2S0UeDd7tlvj+W4WtsEnvCcp56D0JXmL wcCz9koXpHz5DNJ7d2l3G6oS4bKs4+6nNHtsHZiRwTskYFFxgvL5byd0HbfcbTjl FuWm8NqQHgpRuhPLUyMNBeDyLF1SXjOUaI6apRf2ofJpBbloADN3QxtBDqhjW0HX 228JFeACLXfW+gLZ5eiRmgkhf4gmsEB2qNbyRi27rGa6BK1M6Cc3MVZ6k2wFlGDR pRFRE2GSNr2Ht1DV3xiq39YsJLmTgVBVdqQSNle16Fs3/3F9BW3ifrqKGYXiqA==
=5EQC
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

--068a6ce28cbe4a2a9fabdf6b956d2f08
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Paul,

The test fails with LOLWUT in the error message and I also
see LOLWUT improvements mentioned in the redis diff. Is this unintended behavior change?

Oh, sigh. It does appear to be kinda "intended" and that command's
'Easter Egg' status meant that I paid little attention to the changes… especially as they were made in 8.0.2 and not in 8.0.0 where one might
expect them.

Still, I think it's a bug that said output does not contain the
version number as all the previous versions of the LOLWUT output do.
To that end, I've patched [0] Redis and forwarded the change to
upstream [1].

[0] https://salsa.debian.org/lamby/pkg-redis/-/commit/aaa4dfc7442ff78fcda766faf2a184342713de9b
[1] https://github.com/redis/redis/pull/14195

I've also prepared another upload (5:8.0.2-3) that simply includes this
change (debdiff attached), and here is a Debusine run that shows the lack
of python-redis regression:

https://debusine.debian.net/debian/developers/work-request/120838/

The errors here are for gitlab and php-horde-hashtable (bad
dependencies), and proftpd-dfsg fails too, although outside of any Redis-related tests.



Regards,

--
,''`.
: :' : Chris Lamb
`. `'` [email protected] 🍥 chris-lamb.co.uk
`-


--068a6ce28cbe4a2a9fabdf6b956d2f08
Content-Disposition: attachment; filename="debdiff.txt"
Content-Type: text/plain; name="debdiff.txt"
Content-Transfer-Encoding: base64

ZGlmZiAtLWdpdCBkZWJpYW4vY2hhbmdlbG9nIGRlYmlhbi9jaGFuZ2Vsb2cKaW5kZXggOTZh NGZlNzguLmIxYzhkMDE5IDEwMDY0NAotLS0gZGViaWFuL2NoYW5nZWxvZworKysgZGViaWFu L2NoYW5nZWxvZwpAQCAtMSwzICsxLDExIEBACityZWRpcyAoNTo4LjAuMi0zKSB1bnN0YWJs ZTsgdXJnZW5jeT1tZWRpdW0KKworICAqIEFkZCBhIHBhdGNoIHRvIHJlLWFkZCAiUmVkaXMg dmVyLiAkUkVESVNfVkVSU0lPTiIgb3V0cHV0IHRvIHRoZSBMT0xXVVQKKyAgICB+RWFzdGVy IEVnZyBjb21tYW5kIG91dHB1dCBhcyBhIHNvbWUgdGVzdHN1aXRlcyB3ZXJlIHJlbHlpbmcg b24gaXQKKyAgICBleGlzdGluZy4gVGhpcyB1cHN0cmVhbSBjaGFuZ2Ugd2FzIG1hZGUgaW4g OC4wLjIsIG5vdCBpbiA4LjAuMC4KKworIC0tIENocmlzIExhbWIgPGxhbWJ5QGRlYmlhbi5v cmc+ICBNb24sIDE0IEp1bCAyMDI1IDA5OjQ3OjMyIC0wNzAwCisKIHJlZGlzICg1OjguMC4y LTIpIHVuc3RhYmxlOyB1cmdlbmN5PWhpZ2gKIAogICAqIENWRS0yMDI1LTMyMDI

XPost: linux.debian.devel.release
To: [email protected]

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------dRvKhRknonnOfFm5UR8m3iMP
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

SGkgQ2hyaXMsDQoNCk9uIDE0LTA3LTIwMjUgMjE6NDcsIENocmlzIExhbWIgd3JvdGU6DQo+ IFN0aWxsLCBJIHRoaW5rIGl0J3MgYSBidWcgdGhhdCBzYWlkIG91dHB1dCBkb2VzIG5vdCBj b250YWluIHRoZQ0KPiB2ZXJzaW9uIG51bWJlciBhcyBhbGwgdGhlIHByZXZpb3VzIHZlcnNp b25zIG9mIHRoZSBMT0xXVVQgb3V0cHV0IGRvLg0KDQoNCkkgZG8gcmVndWxhcmx5IHdvbmRl ciBob3cgc21hcnQgdGVzdHMgbGlrZSB0aGVzZSBhcmUsIHRvIGNoZWNrIGZvciBzb21lIA0K bWFnaWMgc3RyaW5nIGluIGFuIG91dHB1dC4gQSBjaGFuZ2UgbGlrZSB0aGlzIHNob3VsZG4n dCBjYXVzZSBpc3N1ZXMuDQoNCj4gSSd2ZSBhbHNvIHByZXBhcmVkIGFub3RoZXIgdXBsb2Fk ICg1OjguMC4yLTMpIHRoYXQgc2ltcGx5IGluY2x1ZGVzIHRoaXMNCj4gY2hhbmdlIChkZWJk aWZmIGF0dGFjaGVkKSwNCg0KDQpCdXQgeWVzLCBsZXQncyBkbyB0aGlzIG5vdyB0byByZXNv bHZlIGl0LiBCdXQgSSdkIG5vdCBwdXNoIHRvIGhhcmQgb24gDQp1cHN0cmVhbSB0byBwdXQg dGhpcyBiYWNrLCBpbnN0ZWFkIHB5dGhvbi1yZWRpcyBjb3VsZCBpbXByb3ZlIHRoZWlyIA0K dGVzdGluZyBpbnN0ZWFkLiBCdXQgSSdsbCBsZWF2ZSB0aGF0IHRvIHlvdS4NCg0KPiAgIGh0 dHBzOi8vZGVidXNpbmUuZGViaWFuLm5ldC9kZWJpYW4vZGV2ZWxvcGVycy93b3JrLXJlcXVl c3QvMTIwODM4Lw0KPiANCj4gVGhlIGVycm9ycyBoZXJlIGFyZSBmb3IgZ2l0bGFiIGFuZCBw aHAtaG9yZGUtaGFzaHRhYmxlIChiYWQNCj4gZGVwZW5kZW5jaWVzKSwgYW5kIHByb2Z0cGQt ZGZzZyBmYWlscyB0b28sIGFsdGhvdWdoIG91dHNpZGUgb2YgYW55DQo+IFJlZGlzLXJlbGF0 ZWQgdGVzdHMuDQoNCg0KVGhlIGZhaWx1cmUgaW4gZGVidXNpbmUncyBhdXRvcGtndGVzdCBp cyBhIGJpdCBvcGFxdWUgdG8gbWUsIGNhbiBpdCBiZSANCnJldHJpZWQgb24gdGhlIGRlYnVz aW5lIGluZnJhc3RydWN0dXJlIHRvIGNoZWNrIGlmIGl0J3MgZmxha3k/DQoNClBhdWwNCg==


--------------dRvKhRknonnOfFm5UR8m3iMP--

-----BEGIN PGP SIGNATURE-----

wsC7BAABCABvBYJodhA6CRCcXJnrBb11CkcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmed9XKvroohtbmx/3n+EwPUpNuEIEmJKsrvgr3xpe7r 2RYhBFi2bUhza+k7BS3mcpxcmesFvXUKAABkOAf8DlahIEoGYmV7MijrkdoguHDt 4UTDjL3If2qNGAx4uBqoH0z0O8JQYfbK5v8dk8I2EHjq0BwtqTueGXCLSI01whQm 5GMqcegtu7s7AENeNIQCgCrc/eUa9+IzekBzDcGpQv1OteVNAhTcpo79K+XXeWKD BzZGI3lHydoTNBSL5RnBenOqTsL8hkBNF9sNSuRatQTrN47XFWtrJIhPKhoUziV7 vdBhM9zK4qOWtwYhHvPskZCgEA+CDTMOlHXxgV8X21uD3pJ/DmaHF64Y9EjHsYFt GVtFm5xwiHSXD5qL8HQV4SB3Q8i48gE5AmqWKQ7RfC4huxQ7d1FxaDfmYwxO1w==
=y9qp
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

Hi Paul,

I do regularly wonder how smart tests like these are, to check for some magic string in an output. A change like this shouldn't cause issues.

Indeed. (Curiously, I think we hit a similar issue with one of the Perl
Redis libraries as well.)

I've also prepared another upload (5:8.0.2-3) that simply includes this
change (debdiff attached),

But yes, let's do this now to resolve it. But I'd not push to hard on upstream to put this back, instead python-redis could improve their
testing instead. But I'll leave that to you.

Agreed — I won't push too hard as it could also be fixed there.

https://debusine.debian.net/debian/developers/work-request/120838/

The errors here are for gitlab and php-horde-hashtable (bad
dependencies), and proftpd-dfsg fails too, although outside of any
Redis-related tests.

The failure in debusine's autopkgtest is a bit opaque to me, can it be retried on the debusine infrastructure to check if it's flaky?

Retrying these tests now… okay, no change in the results. Wish we
had 'reference' tests on Debusine like we do on the Freexian CI!


Regards,

--
,''`.
: :' : Chris Lamb
`. `'` [email protected] 🍥 chris-lamb.co.uk
`-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Thu, Jul 17, 2025 at 01:33:12PM +0200, Paul Gevers wrote:

On 15-07-2025 19:17, Chris Lamb wrote:

The failure in debusine's autopkgtest is a bit opaque to me, can it be >>>retried on the debusine infrastructure to check if it's flaky?

Retrying these tests now… okay, no change in the results. Wish we
had 'reference' tests on Debusine like we do on the Freexian CI!

Seeing this is a permission issue, is debusine's autopkgtest always
failing on debusine infrastructure? I assume so. As the release date
is getting close, can we have the upload please?

It's likely because of insufficient isolation of some kind, since those
test cases require either a privileged container or a VM, and Debusine
doesn't necessarily pick the right defaults for that sort of thing at
the moment. It should work on ci.debian.net, so please just ignore this failure for now.

--
Colin Watson (he/him) [[email protected]]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Thu, Jul 17, 2025 at 02:03:37PM +0100, Colin Watson wrote:

On Thu, Jul 17, 2025 at 01:33:12PM +0200, Paul Gevers wrote:

Seeing this is a permission issue, is debusine's autopkgtest always
failing on debusine infrastructure? I assume so. As the release date
is getting close, can we have the upload please?

It's likely because of insufficient isolation of some kind, since
those test cases require either a privileged container or a VM, and
Debusine doesn't necessarily pick the right defaults for that sort of
thing at the moment. It should work on ci.debian.net, so please just
ignore this failure for now.

https://salsa.debian.org/freexian-team/debusine/-/merge_requests/2066
should at least make this clearer. But there's no need to block on that
from the redis point of view.

--
Colin Watson (he/him) [[email protected]]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

Colin Watson wrote:

Retrying these tests now… okay, no change in the results. Wish we
had 'reference' tests on Debusine like we do on the Freexian CI!

Seeing this is a permission issue, is debusine's autopkgtest always >>failing on debusine infrastructure? I assume so. As the release date
is getting close, can we have the upload please?

It's likely because of insufficient isolation of some kind, since those
test cases require either a privileged container or a VM, and Debusine doesn't necessarily pick the right defaults for that sort of thing at
the moment. It should work on ci.debian.net, so please just ignore this failure for now.

Okay, uploading with the patch now.

Incidentally, the patch (or a very minor variant thereof) will be accepted
by upstream:

https://github.com/redis/redis/pull/14195


Regards,

--
,''`.
: :' : Chris Lamb
`. `'` [email protected] 🍥 chris-lamb.co.uk
`-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)