| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0013-CVE-2023-28856.patch | [PATCH] fix hincrbyfloat not to create a key if the new value is invalid (#11149) Check the validity of the value before performing the create operation, prevents new data from being generated even if the request fails to execute. (cherry picked from commit bc7fe41e5857a0854d524e2a63a028e9394d2a5c) (cherry picked from commit 606a385935363ea46c0df4f40f8a949d85f7a20a) |
chendianqiang <c.d_q@163.com> | no | 2022-08-28 | ||
| 0014-CVE-2023-25155.patch | [PATCH] Integer Overflow in RAND commands can lead to assertion (CVE-2023-25155) Issue happens when passing a negative long value that greater than the max positive value that the long can store. |
Oran Agra <oran@redislabs.com> | no | 2023-02-21 | ||
| 0015-CVE-2022-36021.patch | [PATCH] String pattern matching had exponential time complexity on pathological patterns (CVE-2022-36021) Authenticated users can use string matching commands with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. |
Tom Levy <tomlevy93@gmail.com> | no | 2023-02-21 | ||
| 0016-CVE-2022-24834.patch | [PATCH] Lua cjson and cmsgpack integer overflow issues (CVE-2022-24834) * Fix integer overflows due to using wrong integer size. * Add assertions / panic when overflow still happens. * Deletion of dead code to avoid need to maintain it * Some changes are not because of bugs, but rather paranoia. * Improve cmsgpack and cjson test coverage. |
Oran Agra <oran@redislabs.com> | no | 2023-07-02 | ||
| 0001-Avoid-integer-overflows-in-SETRANGE-and-SORT-CVE-202.patch | Avoid integer overflows in SETRANGE and SORT (CVE-2022-35977) (#11720) Authenticated users issuing specially crafted SETRANGE and SORT(_RO) commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an OOM panic. |
Oran Agra <oran@redislabs.com> | no | 2023-01-16 | ||
| 0002-Apply-security-fixes-for-CVEs-1114.patch | Apply security fixes for CVEs (#1114) Apply the security fixes for the release. (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching. |
Madelyn Olson <madelyneolson@gmail.com> | no | 2024-10-02 | ||
| 0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch | Fix LUA garbage collector (CVE-2024-46981) (#1513) Reset GC state before closing the lua VM to prevent user data to be wrongly freed while still might be used on destructor callbacks. Created and publish by Redis in their OSS branch. |
Madelyn Olson <madelyneolson@gmail.com> | no | 2025-01-06 | ||
| 0012-CVE-2023-45145.patch | [PATCH] Fix issue of listen before chmod on Unix sockets (CVE-2023-45145) Before this commit, Unix socket setup performed chmod(2) on the socket file after calling listen(2). Depending on what umask is used, this could leave the file with the wrong permissions for a short period of time. As a result, another process could exploit this race condition and establish a connection that would otherwise not be possible. We now make sure the socket permissions are set up prior to calling listen(2). (cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42) |
Yossi Gottlieb <yossigo@gmail.com> | no | 2023-10-11 | ||
| 0001-fix-ftbfs-on-kfreebsd.patch | fix-ftbfs-on-kfreebsd | Chris Lamb <lamby@debian.org> | no | 2015-10-30 | ||
| debian-packaging/0003-dpkg-buildflags.patch | Add CPPFLAGS in upstream makefiles | Chris Lamb <lamby@debian.org> | no | 2015-10-30 | ||
| debian-packaging/0007-Set-Debian-configuration-defaults.patch | Set Debian configuration defaults. | Chris Lamb <lamby@debian.org> | not-needed | 2017-10-10 | ||
| 0010-Use-get_current_dir_name-over-PATHMAX-etc.patch | Use get_current_dir_name over PATHMAX, etc. | Chris Lamb <lamby@debian.org> | no | 2018-01-24 | ||
| 0010-Add-support-for-USE_SYSTEM_JEMALLOC-flag.patch | Add support for USE_SYSTEM_JEMALLOC flag. https://github.com/antirez/redis/pull/5279 |
Chris Lamb <lamby@debian.org> | no | 2018-08-25 | ||
| 0011-Add-support-for-a-USE_SYSTEM_LUA-flag.patch | Add support for a USE_SYSTEM_LUA flag. https://github.com/antirez/redis/pull/5280 |
Chris Lamb <lamby@debian.org> | invalid | 2018-08-26 | ||
| 0007-Add-support-for-a-USE_SYSTEM_HIREDIS-flag.patch | Add support for a USE_SYSTEM_HIREDIS flag. | Chris Lamb <lamby@debian.org> | no | 2018-10-03 | ||
| debian-packaging/0008-Ensure-we-use-the-modules-for-third-party-libraries.patch | Ensure we use the modules for third-party libraries. | Chris Lamb <lamby@debian.org> | not-needed | 2018-11-08 | ||
| 0009-Send-the-readiness-notification-when-we-are-ready-to.patch | Send the readiness notification when we are ready to accept connections On a replica we do accept connections, even though commands accessing the database will operate in read-only mode. But the server is still already operational and processing commands. Not sending the readiness notification means that on a HA setup where the nodes all start as replicas (with replicaof in the config) with a replica that cannot connect to the master server and which might not come back in a predictable amount of time or at all, the service supervisor will end up timing out the service and terminating it, with no option to promote it to be the main instance. This seems counter to what the readiness notification is supposed to be signaling. Instead send the readiness notification when we start accepting commands, and then send the various server status changes as that. |
Guillem Jover <gjover@sipwise.com> | no | 2021-01-19 |