redis (5:7.0.15-1~deb12u5) bookworm-security; urgency=high
* CVE-2025-27151: Fix an stack-based buffer overflow in redis-check-aof
caused by the use of memcpy with strlen(filepath) when copying a
user-supplied file path into a fixed-size stack buffer. This allowed an
attacker to overflow the stack and potentially achieve arbitrary code
execution. (Closes: #1106822)
* CVE-2025-32023: An authenticated user may have used a specially-crafted
string to trigger a stack/heap out-of-bounds write during hyperloglog
operations, potentially leading to remote code execution. Installations
that used Redis' ACL system to restrict hyperloglog "HLL" commands are
unaffected by this issue. (Closes: #1108975)
* CVE-2025-48367: An unauthenticated connection could have caused repeated IP
protocol errors, leading to client starvation and ultimately become a
Denial of Service (DoS) attack. (Closes: #1108981)
-- Chris Lamb <lamby@debian.org> Wed, 23 Jul 2025 13:01:37 -0700
redis (5:7.0.15-1~deb12u4) bookworm; urgency=medium
* Non-maintainer upload.
* CVE-2025-21605: Limit output buffer for unauthenticated clients
(Closes: #1104010)
-- Adrian Bunk <bunk@debian.org> Fri, 09 May 2025 19:15:20 +0300
redis (5:7.0.15-1~deb12u3) bookworm-security; urgency=medium
* Non-maintainer upload.
* CVE-2024-46981: LUA garbage collector code execution
* CVE-2024-51741: DoS due to malformed ACL selectors
* Closes: #1092370
-- Adrian Bunk <bunk@debian.org> Sun, 19 Jan 2025 12:41:08 +0200
redis (5:7.0.15-1~deb12u2) bookworm; urgency=medium
* Non-maintainer upload.
* CVE-2024-31227: DoS with malformed ACL selectors
* CVE-2024-31228: unbounded pattern matching DoS
* CVE-2024-31449: Lua bit library stack overflow
* Closes: 1084805
-- Adrian Bunk <bunk@debian.org> Thu, 28 Nov 2024 23:28:52 +0200
redis (5:7.0.15-1~deb12u1) bookworm-security; urgency=high
* Rebuild of 5:7.0.15-1 from sid for bookworm-security.
* Revert replacing a dependency on lsb-base with sysvinit-utils
(from 5:7.0.12-2).
-- Chris Lamb <lamby@debian.org> Tue, 16 Jan 2024 10:13:26 +0000
redis (5:7.0.15-1) unstable; urgency=medium
* New upstream security release:
- CVE-2023-41056: In some cases, Redis may incorrectly handle resizing of
memory buffers which can result in incorrect accounting of buffer sizes
and lead to heap overflow and potential remote code execution.
(Closes: #1060316)
- For more information, please see:
<https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Tue, 09 Jan 2024 13:42:30 +0000
redis (5:7.0.14-2) unstable; urgency=medium
* Drop ProcSubset=pid hardening flag from the systemd unit files it appears
to cause crashes with memory allocation errors. A huge thanks to Arnaud
Rebillout <arnaudr@kali.org> for the extensive investigation.
(Closes: #1055039)
-- Chris Lamb <lamby@debian.org> Tue, 31 Oct 2023 16:34:25 +0100
redis (5:7.0.14-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-45145: On startup, Redis began listening on a Unix socket before
adjusting its permissions to the user-provided configuration. If a
permissive umask(2) was used, this created a race condition that enabled,
during a short period of time, another process to establish an otherwise
unauthorized connection. (Closes: #1054225)
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Thu, 19 Oct 2023 15:50:56 +0100
redis (5:7.0.13-2) unstable; urgency=medium
* Only install systemd units once. Thanks, Helmut Grohne. (Closes: #1054091)
-- Chris Lamb <lamby@debian.org> Tue, 17 Oct 2023 11:15:21 +0100
redis (5:7.0.13-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-41053: Redis did not correctly identify keys accessed by
`SORT_RO`, and as a result Redis may grant users executing this command
access to keys that are not explicitly authorized by the ACL
configuration. (Closes: #1051512)
<https://raw.githubusercontent.com/redis/redis/7.2/00-RELEASENOTES>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Fri, 08 Sep 2023 14:04:13 -0700
redis (5:7.0.12-2) unstable; urgency=medium
* Try and clean up better. (Closes: #1047506)
* Allow arm64 crossbuild to run but not to fail the build if, for
instance, build-dependencies cannot be satisfied.
* Replace dependency on lsb-base with sysvinit-utils.
* Drop very debian/NEWS entry.
-- Chris Lamb <lamby@debian.org> Thu, 24 Aug 2023 10:33:48 -0700
redis (5:7.0.12-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-24834: A specially-crafted Lua script executing in Redis could
have triggered a heap overflow in the cjson and cmsgpack libraries and
result in heap corruption and potentially remote code execution. The
problem exists in all versions of Redis with Lua scripting support and
affects only authenticated/authorised users.
- CVE-2023-36824: Extracting key names from a command and a list of
arguments may, in some cases, have triggered a heap overflow and result
in reading random heap memory, heap corruption and potentially remote
code execution. (Specifically using COMMAND GETKEYS* and validation of
key names in ACL rules). (Closes: #1040879)
For more information, please see:
<https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES>
-- Chris Lamb <lamby@debian.org> Wed, 12 Jul 2023 10:07:09 +0100
redis (5:7.0.11-1+deb12u1) bookworm; urgency=medium
* Drop ProcSubset=pid hardening flag from the systemd unit files it causes
difficult-to-reproduce crashes with memory allocation errors. A big thanks
to Arnaud Rebillout <arnaudr@kali.org> for the extensive investigation.
(Closes: #1055039)
* Update debian/gbp.conf for the debian/bookworm branch.
-- Chris Lamb <lamby@debian.org> Thu, 02 Nov 2023 15:24:45 +0100
redis (5:7.0.11-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-28856: Authenticated users could have used the HINCRBYFLOAT
command to create an invalid hash field that would have crashed the Redis
server on access. (Closes: #1034613)
For more information, please see:
https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Thu, 20 Apr 2023 07:38:23 +0100
redis (5:7.0.10-1) unstable; urgency=medium
* New upstream release.
- CVE-2023-28425: Unauthenticated users could have used the MSETNX command
to trigger a runtime assertion and termination of the Redis server
process. (Closes: #1033340)
* Refresh patches.
* Bump Standards-Version.
* Extend our USE_SYSTEM_JEMALLOC patch to support latest version.
-- Chris Lamb <lamby@debian.org> Sat, 25 Mar 2023 13:04:38 +0000
redis (5:7.0.9-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-25155: Authenticated users issuing specially crafted
`SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an
integer overflow, resulting in a runtime assertion and termination of the
Redis server process. (Closes: #1032279)
- CVE-2022-36021: Authenticated users can use string matching commands
(like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a
denial-of-service attack on Redis, causing it to hang and consume 100%
CPU time.
* Refresh patches.
* Extend our USE_SYSTEM_JEMALLOC patch to support latest version.
-- Chris Lamb <lamby@debian.org> Sat, 04 Mar 2023 11:01:59 +0000
redis (5:7.0.8-4) unstable; urgency=medium
* Correct "delaycompress" typo in redis-server.logrotate, not just
redis-sentinel.logrotate. (Closes: #1031750)
-- Chris Lamb <lamby@debian.org> Tue, 21 Feb 2023 16:48:01 -0800
redis (5:7.0.8-3) unstable; urgency=medium
* Correct "delaycompress" typo. (Closes: #1031206)
-- Chris Lamb <lamby@debian.org> Mon, 13 Feb 2023 08:39:23 -0800
redis (5:7.0.8-2) unstable; urgency=medium
* Add delaycompess to logrotate configuration. Thanks, Marc Haber.
(Closes: #1029844)
-- Chris Lamb <lamby@debian.org> Mon, 30 Jan 2023 08:11:34 -0800
redis (5:7.0.8-1) unstable; urgency=high
* New upstream release.
<https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES>
* CVE-2023-22458: Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER
commands may have led to denial-of-service. (Closes: #1029363)
* CVE-2022-35977: Integer overflow in the Redis SETRANGE and SORT/SORT_RO
commands could have driven Redis to an OOM panic.
-- Chris Lamb <lamby@debian.org> Sun, 22 Jan 2023 08:46:14 -0800
redis (5:7.0.7-1) unstable; urgency=medium
* New upstream release.
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Sat, 17 Dec 2022 10:21:39 +0000
redis (5:7.0.5-1) unstable; urgency=medium
* New upstream security release:
- CVE-2022-35951: Fix a heap overflow vulnerability in XAUTOCLAIM.
Executing an XAUTOCLAIM command on a stream key in a specific state, with
a specially crafted COUNT argument may have caused an integer overflow, a
subsequent heap overflow and potentially lead to remote code execution.
(Closes: #1020512)
* Refresh patches.
* Update debian/watch.
-- Chris Lamb <lamby@debian.org> Fri, 23 Sep 2022 11:12:24 +0100
redis (5:7.0.4-1) unstable; urgency=high
* New upstream security release.
* CVE-2022-31144: Prevent a potential heap overflow in Redis 7.0's
XAUTOCLAIM command.
-- Chris Lamb <lamby@debian.org> Mon, 18 Jul 2022 15:49:44 +0100
redis (5:7.0.3-1) unstable; urgency=medium
* New upstream release.
* Refresh patches.
* Bump Standards-Version to 4.6.1.
-- Chris Lamb <lamby@debian.org> Sat, 16 Jul 2022 07:27:57 +0100
redis (5:7.0.2-2) unstable; urgency=medium
* Add /lib to allowed ExecPaths to support both usr-merged and non-usr-merged
systems. Thanks to Christian Göttsche for the report. (Closes: #1013172)
-- Chris Lamb <lamby@debian.org> Sun, 19 Jun 2022 11:12:13 +0100
redis (5:7.0.2-1) unstable; urgency=medium
* New upstream release.
* Drop 0005-Fix-crash-when-systemd-ProcSubset-pid.patch; applied upstream.
-- Chris Lamb <lamby@debian.org> Fri, 17 Jun 2022 14:34:25 +0100
redis (5:7.0.1-4) unstable; urgency=medium
* Upload 7.x branch to unstable.
* Update gbp.conf.
-- Chris Lamb <lamby@debian.org> Fri, 17 Jun 2022 10:09:07 +0100
redis (5:7.0.1-3) experimental; urgency=medium
* Fix crash when systemd's ProcSubset=pid. /proc/sys/vm/overcommit_memory was
inaccessible and a log warning message was incorrectly constructed.
* Add missing CPPFLAGS when building hdr_histogram.
* Update Lintian overrides:
- Ignore maintainer-manual-page warnings.
- Ignore very-long-line-length-in-source-file warnings.
* Update my entry in debian/copyright.
* Update and renumber patches.
-- Chris Lamb <lamby@debian.org> Fri, 17 Jun 2022 10:09:03 +0100
redis (5:7.0.1-2) experimental; urgency=medium
* Drop support (in patches, etc.) for using the systemwide hiredis and Lua,
reverting to using the built-in cjson (etc.). (Closes: #1012658)
* Add an internal timeout for the cluster tests to prevent FTBFS.
(Closes: #1011187)
* Drop a duplicate comment in debian/rules.
-- Chris Lamb <lamby@debian.org> Tue, 14 Jun 2022 15:41:53 +0100
redis (5:7.0.1-1) experimental; urgency=medium
* New upstream release.
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Sat, 11 Jun 2022 07:34:58 +0100
redis (5:7.0.0-1) experimental; urgency=medium
* New upstream release.
- Disable, hopefully temporarily, the use of the systemwide Lua due to
Redis' fork gaining security/hardening features (eg.
lua_enablereadonlytable).
- Refresh patches.
-- Chris Lamb <lamby@debian.org> Sat, 30 Apr 2022 16:19:20 -0700
redis (5:7.0~rc3-1) experimental; urgency=medium
* New upstream release.
- Refresh patches.
-- Chris Lamb <lamby@debian.org> Thu, 14 Apr 2022 09:20:33 +0100
redis (5:7.0~rc2-2) experimental; urgency=high
* CVE-2022-0543: Prevent a Debian-specific Lua sandbox escape vulnerability.
This vulnerability existed because the Lua library in Debian is provided as
a dynamic library. A "package" variable was automatically populated that
in turn permitted access to arbitrary Lua functionality. As this extended
to, for example, the "execute" function from the "os" module, an attacker
with the ability to execute arbitrary Lua code could potentially execute
arbitrary shell commands.
Thanks to Reginaldo Silva <https://www.ubercomp.com> for discovering and
reporting this issue. (Closes: #1005787)
-- Chris Lamb <lamby@debian.org> Tue, 08 Mar 2022 11:05:56 +0000
redis (5:7.0~rc2-1) experimental; urgency=medium
* New upstream RC release.
- Refresh patches.
-- Chris Lamb <lamby@debian.org> Sat, 05 Mar 2022 08:10:49 +0000
redis (5:7.0~rc1-1) experimental; urgency=medium
* New upstream 7.x release candidate.
* Refresh patches.
* Set some DEP-3 forwarded headers.
-- Chris Lamb <lamby@debian.org> Sat, 05 Feb 2022 16:36:54 -0800
redis (5:6.2.6-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-32762: Integer to heap buffer overflow issue in redis-cli and
redis-sentinel parsing large multi-bulk replies on some older and less
common platforms.
- CVE-2021-32687: Integer to heap buffer overflow with intsets, when
set-max-intset-entries is manually configured to a non-default, very
large value.
- CVE-2021-32675: Denial Of Service when processing RESP request payloads
with a large number of elements on many connections.
- CVE-2021-32672: Random heap reading issue with Lua Debugger.
- CVE-2021-32628: Integer to heap buffer overflow handling ziplist-encoded
data types, when configuring a large, non-default value for
hash-max-ziplist-entries, hash-max-ziplist-value,
zset-max-ziplist-entries or zset-max-ziplist-value.
- CVE-2021-32627: Integer to heap buffer overflow issue with streams, when
configuring a non-default, large value for proto-max-bulk-len and
client-query-buffer-limit.
- CVE-2021-32626: Specially crafted Lua scripts may result with Heap
buffer overflow.
- CVE-2021-41099: Integer to heap buffer overflow handling certain string
commands and network payloads, when proto-max-bulk-len is manually
configured to a non-default, very large value.
* Refresh patches.
* Bump Standards-Version to 4.6.0.
-- Chris Lamb <lamby@debian.org> Mon, 04 Oct 2021 14:33:02 +0100
redis (5:6.2.5-4) experimental; urgency=medium
* Use /run instead of /var/run for PID and UNIX socket files. Thanks to
@MichaIng-guest for the patch. (Closes: lamby/pkg-redis!5)
-- Chris Lamb <lamby@debian.org> Thu, 26 Aug 2021 11:48:59 +0100
redis (5:6.2.5-3) experimental; urgency=medium
* Skip OOM-related tests on incompatible platforms. (Closes: #982122)
-- Chris Lamb <lamby@debian.org> Wed, 18 Aug 2021 14:26:17 +0100
redis (5:6.2.5-2) experimental; urgency=medium
* Explicitly specify USE_JEMALLOC to override upstream's detection of ARM
systems. This was affecting reproducibility as the aarch64 kernel flavour
was using Jemalloc whilst armv7l was not.
* Increase the verbosity of logging when testing. (Re: #991476)
-- Chris Lamb <lamby@debian.org> Wed, 11 Aug 2021 16:45:54 +0100
redis (5:6.2.5-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-32761: Integer overflow issues with BITFIELD command
on 32-bit systems.
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <lamby@debian.org> Wed, 21 Jul 2021 22:17:19 +0100
redis (5:6.2.4-1) experimental; urgency=medium
* CVE-2021-32625: Fix a vulnerability in the STRALGO LCS command.
(Closes: #989351)
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Tue, 01 Jun 2021 17:33:02 +0100
redis (5:6.2.3-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-29477: Vulnerability in the STRALGO LCS command.
- CVE-2021-29478: Vulnerability in the COPY command for large intsets.
(Closes: #988045)
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Tue, 04 May 2021 11:00:25 +0100
redis (5:6.2.2-1) experimental; urgency=medium
* New upstream release.
* Apply wrap-and-sort -sa.
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Sat, 24 Apr 2021 12:37:27 +0100
redis (5:6.2.1-1) experimental; urgency=medium
* New upstream release.
-- Chris Lamb <lamby@debian.org> Sat, 06 Mar 2021 11:09:08 +0000
redis (5:6.2.0-1) experimental; urgency=medium
* New upstream release, incorporating some security fixes. (Closes: 983446)
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Wed, 24 Feb 2021 10:52:50 +0000
redis (5:6.2~rc3-1) experimental; urgency=medium
* New upstream RC release.
- Refresh patches.
-- Chris Lamb <lamby@debian.org> Wed, 03 Feb 2021 10:10:59 +0000
redis (5:6.2~rc2-2) experimental; urgency=medium
* Also remove the /etc/redis directory in purge.
* Allow /etc/redis to be rewritten. Thanks to Yossi Gottlieb for the patch.
(Closes: #981000)
-- Chris Lamb <lamby@debian.org> Mon, 25 Jan 2021 12:46:25 +0000
redis (5:6.2~rc2-1) experimental; urgency=medium
* New upstream release.
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Mon, 25 Jan 2021 12:46:23 +0000
redis (5:6.2~rc1-3) experimental; urgency=medium
* Specify "--supervised systemd" now that we specify "Type=notify" to prevent
failure under systemd. Thanks to Michael Prokop for the report.
-- Chris Lamb <lamby@debian.org> Wed, 23 Dec 2020 10:36:55 +0000
redis (5:6.2~rc1-2) experimental; urgency=medium
[ Michael Prokop ]
* Enable systemd support by compiling against libsystemd-dev.
(Closes: #977852)
[ Chris Lamb ]
* Use Type=notify to use systemd supervisor when generating our systemd
service files.
* Explicitly request systemd support when building the package.
-- Chris Lamb <lamby@debian.org> Tue, 22 Dec 2020 12:27:42 +0000
redis (5:6.2~rc1-1) experimental; urgency=medium
* New upstream RC release.
- Update patches.
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <lamby@debian.org> Sat, 19 Dec 2020 11:19:11 +0000
redis (5:6.0.1-1) experimental; urgency=medium
* New upstream "General Availability" release.
<https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES>
-- Chris Lamb <lamby@debian.org> Wed, 06 May 2020 16:27:19 +0100
redis (5:6.0~rc4-1) experimental; urgency=medium
* New upstream beta release.
<https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES>
* Use the newly-package liblzf-dev package over the local version.
(Closes: #958321)
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Tue, 21 Apr 2020 11:51:41 +0100
redis (5:6.0~rc3-1) experimental; urgency=medium
* New upstream beta release.
<https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES>
-- Chris Lamb <lamby@debian.org> Wed, 15 Apr 2020 11:22:59 +0100
redis (5:6.0~rc2-1) experimental; urgency=medium
* New upstream beta release.
<https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES>
* Refresh patches.
-- Chris Lamb <lamby@debian.org> Wed, 11 Mar 2020 13:32:21 +0000
redis (5:6.0~rc1-3) experimental; urgency=medium
* Install openssl in the testsuite; required for generating test
certificates.
* Correct a typo in a previous changelog entry.
-- Chris Lamb <lamby@debian.org> Wed, 04 Mar 2020 08:22:14 -0800
redis (5:6.0~rc1-2) experimental; urgency=medium
* Add support for TLS added in Redis 6.x. Thanks to Jason Perrin for the
patch. (Closes: #951255)
* Add a comment regarding why we export a MAKEFLAGS variable in debian/rules.
* Bump Standards-Version to 4.5.0.
-- Chris Lamb <lamby@debian.org> Thu, 13 Feb 2020 14:20:15 +0000
redis (5:6.0~rc1-1) experimental; urgency=medium
* New upstream RC1 release.
<http://antirez.com/news/131>
* Refresh patches.
* Disable using the system hiredis for now, awaiting a a new upstream
release.
-- Chris Lamb <lamby@debian.org> Sat, 21 Dec 2019 15:28:01 +0000
redis (5:5.0.7-1) unstable; urgency=medium
* New upstream bugfix release.
<https://groups.google.com/forum/#!topic/redis-db/LYBeXlUKU6c>
* Bump Standards-Version to 4.4.1.
* Run wrap-and-sort -sa.
-- Chris Lamb <lamby@debian.org> Fri, 22 Nov 2019 20:46:19 -0500
redis (5:5.0.6-1) unstable; urgency=medium
* New upstream release.
<https://groups.google.com/forum/#!topic/redis-db/qTRdgyEbyYU>
* Specify "Rules-Requires-Root: no">.
-- Chris Lamb <lamby@debian.org> Fri, 27 Sep 2019 16:48:24 +0100
redis (5:5.0.5-2) unstable; urgency=medium
* Sourceful upload to unstable to ensure testing migration.
* Bump Standards-Version to 4.4.0.
* Don't build release tags in gitlab-ci.yml.
-- Chris Lamb <lamby@debian.org> Sat, 20 Jul 2019 17:14:37 -0300
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog redis-tools`.
Generated by dwww version 1.15 on Fri Aug 29 22:34:35 CEST 2025.