Debian Patches
Status for redis/5:7.0.15-1~deb12u7
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| debian-packaging/0001-Set-Debian-configuration-defaults.patch | Set Debian configuration defaults | Chris Lamb <lamby@debian.org> | not-needed | 2017-10-10 | ||
| 0001-Fix-FTBFS-on-kFreeBSD.patch | Fix FTBFS on kFreeBSD | Chris Lamb <lamby@debian.org> | no | 2015-10-30 | ||
| 0002-Add-CPPFLAGS-to-upstream-makefiles.patch | Add CPPFLAGS to upstream makefiles | Chris Lamb <lamby@debian.org> | no | 2015-10-30 | ||
| 0003-Use-get_current_dir_name-over-PATHMAX.patch | Use get_current_dir_name over PATHMAX, etc. | Chris Lamb <lamby@debian.org> | no | 2018-01-24 | ||
| 0004-Add-support-for-USE_SYSTEM_JEMALLOC-flag.patch | Add support for USE_SYSTEM_JEMALLOC flag. | Chris Lamb <lamby@debian.org> | yes | 2018-08-25 | ||
| 0001-Apply-security-fixes-for-CVEs-1113.patch | Apply security fixes for CVEs (#1113) Apply the security fixes for the release. (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE. (CVE-2024-31227) Potential Denial-of-service due to malformed ACL selectors. (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching. |
Madelyn Olson <madelyneolson@gmail.com> | no | 2024-10-02 | ||
| 0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch | Fix LUA garbage collector (CVE-2024-46981) (#1513) Reset GC state before closing the lua VM to prevent user data to be wrongly freed while still might be used on destructor callbacks. Created and publish by Redis in their OSS branch. |
Madelyn Olson <madelyneolson@gmail.com> | no | 2025-01-06 | ||
| 0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch | Fix Read/Write key pattern selector (CVE-2024-51741) (#1514) The explanation on the original commit was wrong. Key based access must have a `~` in order to correctly configure whey key prefixes to apply the selector to. If this is missing, a server assert will be triggered later. |
Madelyn Olson <madelyneolson@gmail.com> | no | 2025-01-06 | ||
| 0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch | Limiting output buffer for unauthenticated client (CVE-2025-21605) For unauthenticated clients the output buffer is limited to prevent them from abusing it by not reading the replies |
YaacovHazan <yaacov.hazan@redis.com> | no | 2025-04-23 | ||
| 0005-CVE-2025-27151.patch | Check length of AOF file name in redis-check-aof (CVE-2025-27151) Ensure that the length of the input file name does not exceed PATH_MAX |
YaacovHazan <yaacov.hazan@redis.com> | no | 2025-05-27 | ||
| 0006-CVE-2025-32023.patch | Fix out of bounds write in hyperloglog commands (CVE-2025-32023) | "debing.sun" <debing.sun@redis.com> | no | 2025-05-07 | ||
| 0007-CVE-2025-48367.patch | Retry accept() even if accepted connection reports an error (CVE-2025-48367) In case of accept4() returns an error, we should check errno value and decide if we should retry accept4() without waiting next event loop iteration. |
Ozan Tezcan <ozantezcan@gmail.com> | no | 2025-05-14 | ||
| CVE-2025-46817.patch | Lua script may lead to integer overflow and potential RCE (CVE-2025-46817) | Ozan Tezcan <ozantezcan@gmail.com> | no | 2025-06-23 | ||
| CVE-2025-46818.patch | Lua script can be executed in the context of another user (CVE-2025-46818) | Ozan Tezcan <ozantezcan@gmail.com> | no | 2025-06-23 | ||
| CVE-2025-49844.patch | Lua script may lead to remote code execution (CVE-2025-49844) | Mincho Paskalev <minchopaskal@gmail.com> | no | 2025-06-23 | ||
| CVE-2025-46819.patch | LUA out-of-bound read (CVE-2025-46819) | Ozan Tezcan <ozantezcan@gmail.com> | no | 2025-06-23 | ||
| CVE-2025-67733.patch | Strip CRLF from error and simple string replies (#826) Because in some cases, the client put \r\n in the command parameters. When Redis returns these parameters to the client via an error reply, the presence of \r\n in the middle can cause the client to only parse the portion before the \r\n when handling the error reply. This disrupts the protocol parsing and ultimately causes the connection to become stuck. [Backport from https://github.com/redis/redis/commit/6910256443c74057e0d83e08c61ea0021774fa6f] [Adapted for redis-7.0.15: - redis-7.0.15 already has addReplyErrorSdsSafe(); only the new addReplyErrorSdsExSafe() and addReplyStatusSafe() helpers are added. - functions.c hunk uses the pre-existing addReplyErrorSdsSafe(). - tests/unit/functions.tcl test added inside the same start_server block, before its closing brace. - tests/unit/moduleapi/reply.tcl test added inside the proto loop, before its closing brace (7.0.15 lacks the upstream "WRONGTYPE A type error" anchor). - tests/unit/scripting.tcl test added before "LUA redis.status_reply API" anchor.] |
"debing.sun" <debing.sun@redis.com> | no | 2025-12-28 | ||
| CVE-2026-21863.patch | Fix for [CVE-2026-21863] Remote DoS with malformed Valkey Cluster bus message [Backport from Valkey commit https://github.com/valkey-io/valkey/commit/416939303d2550aefff73ac180f41b84c12ba6c0] [Adapted for redis-7.0.15: - redis-7.0.15 has src/cluster.c (not src/cluster_legacy.c). - The enclosing function is clusterProcessPacket() (not clusterIsValidPacket()). - Drop/keep-link return value is 1 (not 0) on redis-7.0.15. - extlen is uint16_t (not uint32_t) on redis-7.0.15; only the two new bounds-check blocks from upstream are inserted; existing declarations are unchanged. - tests/unit/cluster/packet.tcl is included verbatim; the file is not auto-registered in tests/test_helper.tcl since the upstream Valkey patch does not register it either. start_cluster, CI, R helpers used by the test all exist in redis-7.0.15.] |
Roshan Khatri <rvkhatri@amazon.com> | no | 2026-02-23 |
All known versions for source package 'redis'
- 5:8.6.3-1 (experimental)
- 5:8.0.6-2 (sid)
- 5:8.0.6-1 (forky)
- 5:8.0.2-3+deb13u2 (trixie-security)
- 5:8.0.2-3+deb13u1 (trixie)
- 5:7.0.15-1~deb12u7 (bookworm-security)
- 5:7.0.15-1~deb12u6 (bookworm)