Ubuntu
redis package

Trusty version (2:2.8.4-2) has not been bumped to address security vulnerabilities

Bug #1664390 reported by aren55555
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
redis (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

The Trusty Redis package version is still 2.8.4. There seem to have been a number of incremental 2.8.x redis versions that have been released since 2.8.4 in Jan 2014. The most recent 2.8.x release being 2.8.24 released in Dec 2015.

A number of the versions > 2.8.4 address "Critical" security issues; 2.8.21 introduced a fix to the "Redis EVAL Lua Sandbox Escape" detailed here http://t.co/LpGTyZmfS7

I am wondering if the Trusty packages will be updated? If shown how I could likely take a stab at this myself.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in redis (Ubuntu):
status: New → Confirmed
Andrei Coada (raziel.kernel)
information type: Public → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in redis (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Seth Arnold (seth-arnold) wrote :

The quickest way to get Redis updated is to find the patches that fix vulnerabilities and add them to the package. Once the package has been tested, the security team would be happy to sponsor an update. Some information on this process can be found at https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

The list of issues that we know about for Redis can be found at http://people.canonical.com/~ubuntu-security/cve/pkg/redis.html

Thanks

Revision history for this message
Andrei Coada (raziel.kernel) wrote :

The most convenient fix is to update the package to upstream v2.8.24.

I've subscribed the MOTU Team. Please help us ! :)

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for redis (Ubuntu) because there has been no activity for 60 days.]

Changed in redis (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.