Redis Lua scripting: multiple security issues #5017

antirez · 2018-06-13T10:50:36Z

The Apple Security Team, together with Alibaba and myself, identified several security issues in the Lua script engine. The full report is here:

http://antirez.com/news/119

Fixed releases are already available for Redis 3.2, 4.0 and 5.0.

carlwgeorge · 2018-06-13T18:24:48Z

Did you mean http://antirez.com/news/119? Also, are there any relevant CVE identifiers assigned for this?

antirez · 2018-06-13T18:27:34Z

Thanks @carlwgeorge, link fixed. No CVE, AFAIK CERT is going to notify directly Redis providers, which I already did btw.

lamby · 2018-06-14T06:24:44Z

notify directly Redis providers, which I already did btw.

Could I, as the @Debian maintainer, be added to such a list? Read about this first in my RSS reader :)

antirez · 2018-06-14T07:43:01Z

@lamby sure, adding you. Of course you'll not be able to patch in advance like the cloud providers, but I guess it will be possible to have the package released immediately after the announcement of the vulnerabilities. Thanks.

antirez · 2018-06-14T09:55:46Z

The following are the CVE-IDs:

CVE-2018-11218
CVE-2018-11219

lamby · 2018-06-14T12:28:01Z

you'll not be able to patch in advance like the cloud providers

Nod. Would certainly not release early but am well-used to handling embargoed patches/vulnerabilities. :)

carlwgeorge · 2018-06-14T13:05:19Z

I package redis for the IUS repository. I would like to be added as well. Same as @lamby, any advance notice would be appreciated so that I can get the RPMs out as soon after the announcement as possible.

I would also suggest looping in @natoscott, who is the package maintainer for Fedora and EPEL. Hey @natoscott, by chance do you know if redis is part of any of the Red Hat layered products/repos?

natoscott · 2018-06-14T22:27:07Z

@antirez @carlwgeorge @lamby yes I would certainly appreciate some notice, and yes Redis is part of multiple Red Hat products (I work for Red Hat, and am also well used to embargo procedures - please do consider notifying me as well, I'd really appreciate it - yesterday was a bit of a mad scramble).

antirez · 2018-06-14T22:33:42Z

@lamby @carlwgeorge @natoscott sure, please could you send me your email address at antirez/gmail?

Update CONFLICTS. <ChangeLog> Redis 4.0.10 fixes a number of important issues: * Important security issues related to the Lua scripting engine. Please check redis/redis#5017 for more information. * A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements. We also add a regression test that can trigger the issue often when present, and may in theory be able to find unrelated regressions. * A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files because otherwise it is no longer possible to use such RDB file as a base for partial resynchronization. It no longer represents the right state. * Compatibility of AOF with RDB preamble when the RDB checksum is disabled. * Sentinel bug that in some cases prevented Sentinel to detect that the master was down immediately. A delay was added to the detection. * Other minor issues. </ChangeLog> git-svn-id: svn+ssh://svn.freebsd.org/ports/head@472828 35697150-7ecd-e111-bb59-0022644237b5

Update CONFLICTS. <ChangeLog> Redis 4.0.10 fixes a number of important issues: * Important security issues related to the Lua scripting engine. Please check redis/redis#5017 for more information. * A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements. We also add a regression test that can trigger the issue often when present, and may in theory be able to find unrelated regressions. * A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files because otherwise it is no longer possible to use such RDB file as a base for partial resynchronization. It no longer represents the right state. * Compatibility of AOF with RDB preamble when the RDB checksum is disabled. * Sentinel bug that in some cases prevented Sentinel to detect that the master was down immediately. A delay was added to the detection. * Other minor issues. </ChangeLog>

Update CONFLICTS. <ChangeLog> Redis 4.0.10 fixes a number of important issues: * Important security issues related to the Lua scripting engine. Please check redis/redis#5017 for more information. * A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements. We also add a regression test that can trigger the issue often when present, and may in theory be able to find unrelated regressions. * A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files because otherwise it is no longer possible to use such RDB file as a base for partial resynchronization. It no longer represents the right state. * Compatibility of AOF with RDB preamble when the RDB checksum is disabled. * Sentinel bug that in some cases prevented Sentinel to detect that the master was down immediately. A delay was added to the detection. * Other minor issues. </ChangeLog> git-svn-id: svn+ssh://svn.freebsd.org/ports/head@472828 35697150-7ecd-e111-bb59-0022644237b5

Redis 4.0.10 fixes a number of important issues: * Important security issues related to the Lua scripting engine. Please check redis/redis#5017 for more information. * A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements. We also add a regression test that can trigger the issue often when present, and may in theory be able to find unrelated regressions. * A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files because otherwise it is no longer possible to use such RDB file as a base for partial resynchronization. It no longer represents the right state. * Compatibility of AOF with RDB preamble when the RDB checksum is disabled. * Sentinel bug that in some cases prevented Sentinel to detect that the master was down immediately. A delay was added to the detection. * Other minor issues.

xiaoaoqiankun · 2022-05-12T07:40:35Z

以下是 CVE-ID：

CVE-2018-11218 CVE-2018-11219

能不能帮忙把这个漏洞的补丁发给我，谢谢

@alexber220

redis (5:5.0.7-2) unstable; urgency=medium [ Christian Göttsche ] * Update systemd service to reflect new names, etc. * Create directories in postinst with correct SELinux context. [ Chris Lamb ] * Bump Standards-Version to 4.5.0. [ David Prévot ] * Update long description to remove duplicate information. redis (5:5.0.7-1) unstable; urgency=medium * New upstream bugfix release. <https://groups.google.com/forum/#!topic/redis-db/LYBeXlUKU6c> * Bump Standards-Version to 4.4.1. * Run wrap-and-sort -sa. redis (5:5.0.6-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/qTRdgyEbyYU> * Specify "Rules-Requires-Root: no">. redis (5:5.0.5-2) unstable; urgency=medium * Sourceful upload to unstable to ensure testing migration. * Bump Standards-Version to 4.4.0. * Don't build release tags in gitlab-ci.yml. redis (5:5.0.5-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/jSAtf64lIW4> redis (5:5.0.4-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/aXusvS8da8g> redis (5:5.0.3-4) unstable; urgency=medium [ Helmut Grohne ] * Fix cross build failure by building the non-bundled Lua libraries via dh_auto_build. (Closes: #919862) redis (5:5.0.3-3) unstable; urgency=medium * Fix FTBFS on hurd-i386 by updating patch to aof.c to avoid MAXPATHLEN reference. * debian/control: - Add missing Pre-Depends on ${misc:Pre-Depends}. - Bump Standards-Version to 4.3.0. * Bump debhelper compat level to 12. redis (5:5.0.3-2) unstable; urgency=medium * Pass --no-as-needed to ensure linking to the Lua libraries on systems with --as-needed as the default. (Closes: #916831) redis (5:5.0.3-1) unstable; urgency=medium * New upstream release. - Drop 0009-Don-t-treat-unsupported-protocols-as-fatal-errors.patch as it was merged upstream. - Refresh all patches. redis (5:5.0.2-1) unstable; urgency=medium * New upstream release. redis (5:5.0.1-2) unstable; urgency=medium * Refresh patches. * Ensure that lack of IPv6 support does not prevent Redis from starting on Debian where we bind to the ::1 interface by default. (Closes: #900284, #914354) redis (5:5.0.1-1) unstable; urgency=medium * New upstream release. * Ensure that Debian-supplied Lua libraries are available using "require" during Lua scripting to prevent an issue where we could not use the (eg.) cjson library anymore library anymore. This was a regression introduced in 5:5.0~rc4-3. Thanks to Nicolas Le Manchet <nicolas@lemanchet.fr> for the report and testcase. (Closes: #913185) * Refer to /run directly in .service files; /var/run is now merely a symlink pointing to /run and thus it is now considered best practice to use /run directly. * debian/rules: - Document why we run make in the deps/lua/src directory. - Add documentation for LUA_LIBS_{DEBIAN,BUNDLED}. - Call $(MAKE) instead of "make". - Re-order targets to match usual order. redis (5:5.0.0-2) unstable; urgency=medium * Update our patch to sentinel.conf to ensure the correct runtime PID file location. (Closes: #911407) * Listen on ::1 interfaces too for redis-sentinel to match redis-server. * Also run the new "LOLWUT" command in the redis-cli autopkgtest. redis (5:5.0.0-1) unstable; urgency=medium * New upstream stable release to unstable. <https://groups.google.com/forum/#!topic/redis-db/l0OXDAlwosU> * Refresh patches. * Update Vcs-Git. redis (5:5.0~rc5-2) experimental; urgency=medium * Use the system hiredis now that #907259 has landed. (Closes: #907258) redis (5:5.0~rc5-1) experimental; urgency=medium * New upstream release. - Drop 0004-SOURCE_DATE_EPOCH.patch; merged upstream. * debian/watch: Use releases from <https://github.com/antirez/redis/releases> (not Git) to find RC/beta releases, etc. redis (5:5.0~rc4-4) experimental; urgency=medium * Stop playing whack-a-mole with nondeterminstic testsuite and run with "|| true" on all architectures. (Closes: #908540) * Drop ${shlibs:Depends} substvars on "Architecture: any" binary packages. * Add upstream URIs for patches to support non-embedded jemalloc and Lua. * Bump Standards-Version to 4.2.1. redis (5:5.0~rc4-3) experimental; urgency=medium * Add support for (and use) a USE_SYSTEM_LUA flag. (Closes: #901669) * Add support for (and use) a USE_SYSTEM_JEMALLOC flag. * Refresh 0003-dpkg-buildflags patch. * Append "-b debian/experimental" to Vcs-Git line to fix "unpushed changes" vcswatch.cgi false-positives. redis (5:5.0~rc4-2) experimental; urgency=medium * Drop a non-determinstic "dump" test. redis (5:5.0~rc4-1) experimental; urgency=medium * New upstream RC release. <https://groups.google.com/forum/#!topic/redis-db/aXusvS8da8g> - Refresh 0002-use-system-jemalloc.patch - Refresh 0003-dpkg-buildflags.patch - Refresh 0006-Drop-tests-with-timing-issues.patch - Refresh 0009-Drop-memory-efficiency-tests-on-advice-from-upstream.patch redis (5:4.0.11-3) unstable; urgency=medium * Stop playing whack-a-mole with nondeterminstic testsuite and run with "|| true" on all architectures. (Closes: #908540) * Drop ${shlibs:Depends} substvars on "Architecture: any" binary packages. * Bump Standards-Version to 4.2.1. redis (5:4.0.11-2) unstable; urgency=medium * Revert "Move to debhelper-compat (= 11) in Build-Depends." as dak will REJECT with "missing-build-dependency debhelper". redis (5:4.0.11-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/aXusvS8da8g> * Bump Standards-Version to 4.2.0. * Move to debhelper-compat (= 11) in Build-Depends. redis (5:4.0.10-2) unstable; urgency=medium [ Daniel Shahaf ] * redis-benchmark(1): Fix default of -n argument. (Closes: #903044) [ Chris Lamb ] * Add CVE entries to (released) changelog entry. * Bump Standards-Version to 4.1.5. redis (5:4.0.10-1) unstable; urgency=medium * CVE-2018-11218, CVE-2018-11219: New upstream security release. <redis/redis#5017> for more information. (Closes: #901495) redis (5:4.0.9-4) unstable; urgency=medium * Update Vcs-* headers to point to salsa.debian.org. * Move to HTTPS Homepage URI. * wrap-and-sort -sa. redis (5:4.0.9-3) unstable; urgency=medium * Make /var/log/redis, etc. owned by root:adm, not root:root. Thanks to Thomas Goirand. (Closes: #900496) redis (5:4.0.9-2) unstable; urgency=medium * Ignore test failures on problematic archs. * Bump Standards-Version to 4.1.4. redis (5:4.0.9-1) unstable; urgency=medium * New upstream release. * Refresh all patches. redis (5:4.0.8-2) unstable; urgency=medium * Also listen on ::1 for IPv6 by default. (Closes: #891432) redis (5:4.0.8-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/FGplxMEGEMo> * Update lintian overrides after rename of debian-watch-may-check-gpg-signature → debian-watch-does-not-check-gpg-signature. * Drop "recursive" argument to chown in postinst script to prevent hardlink vulnerability. redis (5:4.0.7-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/gngqHoh-kRM> * Refresh patches. redis (5:4.0.6-5) unstable; urgency=medium * Update redis-sentinel's symlink to usr/bin/redis-check-rdb to match redis-server. This avoids a dangling symlink (and thus a broken package) if redis-server is not installed. (Closes: #884321) * Move to debhelper compat level 11. - Drop reference to --with=systemd - systemd-sequence is no longer provided in compat >= 11. * Use https URI for copyright format specification in debian/copyright. redis (5:4.0.6-4) unstable; urgency=medium * Re-add procps to Build-Depends. (Closes: #887075) redis (5:4.0.6-3) unstable; urgency=medium * Use --clients argument to runtest to force single-threaded operation over using taskset. * Bump Standards-Version to 4.1.3. redis (5:4.0.6-2) unstable; urgency=medium * Replace redis-sentinel's main dependency with redis-tools from redis-server, necessarily moving the creating/deletion of the "redis" user and associated data and log directories to redis-tools. (Closes: #884321) * Add stub manpages for redis-sentinel, redis-check-aof and redis-check-rdb. * Bump Standards-Version to 4.1.2. redis (5:4.0.6-1) unstable; urgency=medium * New upstream bugfix release. redis (5:4.0.5-1) unstable; urgency=medium * New upstream release. * debian/control: Use "metapackage" over "meta-package". * debian/patches: - Drop 0008-CVE-2017-15047-Fix-buffer-overflows-occurring-readin. - Refresh. redis (4:4.0.2-9) unstable; urgency=medium * Also update aof.c for MAXPATHLEN issues. (Closes: #881684) redis (4:4.0.2-8) unstable; urgency=medium * Use get_current_dir_name over PATHMAX, etc. (Closes: #881684) * Don't rely on taskset existing for kFreeBSD-*. (Closes: #881683) * Drop "memory efficiency" tests on advice from upstream. (Closes: #881682) * Correct BSD-3-clause -> BSD-2-clause for Marc Alexander Lehmann's attribution in debian/copyright. * Let package be bin-NMUable. redis (4:4.0.2-7) unstable; urgency=medium * Add a "redis" metapackage. (Closes: #876475) * Drop conditionally exporting FORCE_LIBC_MALLOC; upstreamed since 2.6.0-1. redis (4:4.0.2-6) unstable; urgency=medium * Correct locations of redis-sentinel pidfiles. Thanks to Nicolas Payart for the patch. (Closes: #880980) redis (4:4.0.2-5) unstable; urgency=medium * CVE-2017-15047: Replace existing patch with upstream-blessed version that covers another case. (Closes: #878076) redis (4:4.0.2-4) unstable; urgency=medium * CVE-2017-15047: Add input validity checking to redis cluster config slot numbers. (Closes: #878076) * Drop debian/bin/generate-parts script now we aren't calling it. * Correct Bash-esque in NEWS. * Upstream are not providing signed tarballs, so ignore the "debian-watch-may-check-gpg-signature" Lintian tag, * Drop trailing whitespace in debian/changelog. * Use HTTPS URI in debian/watch. redis (4:4.0.2-3) unstable; urgency=medium * Drop Debian-specific support for /etc/redis/redis-{server,sentinel}.{pre,post}-{up,down}.d and remove them if unchanged. * Include systemd redis-server@.service and redis-sentinel@.service template files to easily run multiple instances. (Closes: #877702) * Patch redis.conf and sentinel.conf with quilt instead of maintaining our own versions under debian/. * Refresh all patches. * Bump Standards-Version to 4.1.1. redis (4:4.0.2-2) unstable; urgency=medium * Update 0004-redis-check-rdb test to ensure that redis.rdb exists before testing it. redis (4:4.0.2-1) unstable; urgency=medium * New upstream release ("Upgrade urgency HIGH: Several potentially critical bugs fixed.") * Bump Standards-Version to 4.1.0. * Drop Build-Depends on dh-systemd (>= 1.5). redis (4:4.0.1-7) unstable; urgency=medium * Don't let sentinel tests fail the build; they use too many timers to be useful and/or meaningful. (Closes: #872075) redis (4:4.0.1-6) unstable; urgency=medium * Don't install completions to /usr/share/bash-completion/completions/debian/bash_completion/. redis (4:4.0.1-5) unstable; urgency=medium * Tidy debian/tests/control. * Drop even more tests with timing issues. redis (4:4.0.1-4) unstable; urgency=medium * Split tests into separate files. * Tighten systemd/seccomp hardening. redis (4:4.0.1-3) unstable; urgency=medium * Drop yet more non-deterministic tests. redis (4:4.0.1-2) unstable; urgency=medium * Skip yet more non-deterministic replication tests that rely on timing. (Closes: #857855) redis (4:4.0.1-1) unstable; urgency=medium * New upstream version. * Install 00-RELEASENOTES as the upstream changelog. * Use "dh_auto_clean" over "clean" target. redis (4:4.0.0-3) unstable; urgency=medium * Add -latomic to LDFLAGS to attempt to avoid FTBFS on mips{,el}. * Allow ulimit calls to fail in sysvinit scripts to avoid issues when running in a containerised environment. See <travis-ci/travis-ci#7941>. redis (4:4.0.0-2) unstable; urgency=medium * Make /usr/bin/redis-server in the main redis-server package a symlink to /usr/bin/redis-check-rdb in the redis-tools package. Whilst this prevents a wasteful duplication of a binary, it moreover ensures there are no duplicate debug symbols which was preventing the simultaneous installation of the redis-server-dbgsym and redis-tools-dbgsym packages. Note that this results in the peculiar (and possibily confusing) situation where the main package does not have the main binary anymore, or indeed any binaries whatsoever. See also the previous parallel attempt at a symlink changes in 3.2.6-3 which was reverted in 3.2.8-3. Thanks to Adrian Bunk for the report. (Closes: #868551) redis (4:4.0.0-1) unstable; urgency=medium * New upstream major release. * Bump Standards-Version to 4.0.0. * Refresh, renumber and reorganise patches. redis (3:3.2.9-1) unstable; urgency=medium * New upstream minor bugfix release. * Specify <!nocheck> for test-related Build-Depends. * Bump debhelper compatibility level to 10. redis (3:3.2.8-3) unstable; urgency=medium * Revert the creation of the redis-tools:/usr/bin/redis-check-rdb -> redis-server:/usr/bin/redis-server symlink to avoid a dangling symlink if only the redis-tools binary package is installed. This was a regression since 3:3.2.6-3 where we attempted to avoid shipping duplicate file; the redis-server binary changes behaviour based on the contents of argv. One alternative would be to ship a symlink in redis-server but that would mean users wishing to check RDB databases would have to install the server package, so reverting to shipping a duplicate file seems justified. (Closes: #858519) redis (3:3.2.8-2) unstable; urgency=medium * Avoid conflict between RuntimeDirectory and tmpfiles.d(5) both attempting to create /run/redis with differing permissions. This prevents an installation error on Jessie where /run/redis was first being created by the tmpfiles.d(5) mechanism and then subsequently via the RuntimeDirectory directive. Due to a bug in Jessie's systemd, this caused a package installation error as systemd was too strict about permissions if the target already exists: <systemd/systemd#896> The redis-{server,sentinel} daemon would actually start successfully a few milliseconds later due to the Restart=always directive. We work around this this by dropping the tmpfiles.d(5) handling and moving entirely to RuntimeDirectory{,Mode}; we are not using any special handling requiring tmpfiles.d(5) and we appear to need RuntimeDirectory anyway for #846350. (Closes: #856116) redis (3:3.2.8-1) unstable; urgency=medium * New upstream release. redis (3:3.2.7-1) unstable; urgency=medium * New upstream release. redis (3:3.2.6-6) unstable; urgency=medium * Use --cpu-list 0 (not --cpu-list 1) to ensure compilation on single-CPU machines. (Closes: #852347) redis (3:3.2.6-5) unstable; urgency=medium * Re-add taskset calls to try and avoid FTBFS due to parallelism in upstream test suite. redis (3:3.2.6-4) unstable; urgency=medium * Expand the documentation in redis-server.service and redis-sentinel regarding the default hardening options. redis (3:3.2.6-3) unstable; urgency=medium * Don't ship a "duplicate" redis-server binary in redis-tools as /usr/bin/redis-check-rdb (it checks argv to change its behaviour) by replacing it with a symlink. Found by <https://dedup.debian.net/>. redis (3:3.2.6-2) unstable; urgency=medium * Rename RunTimeDirectory -> RuntimeDirectory in .service files. (Closes: #850534) * Refresh all patches with pq import -> pq export. * Tidy all patches, updating descriptions and use Pq-Topic to organise. redis (3:3.2.6-1) unstable; urgency=medium * New upstream release. * Add debian/gbp.conf to reflect new repository layout. redis (3:3.2.5-6) unstable; urgency=medium * Add missing Depends on lsb-base for /lib/lsb/init-functions usage in redis-sentinel's initscript too. See #838966 for the parallel change to redis-server's initscript. redis (3:3.2.5-5) unstable; urgency=medium * Add RunTimeDirectory=redis to systemd .service files. (Closes: #846350) redis (3:3.2.5-4) unstable; urgency=medium * Install upstream's MANIFESTO and README.md. redis (3:3.2.5-3) unstable; urgency=medium * Also run redis-benchmark in autopkgtests to stress-test the installation better. redis (3:3.2.5-2) unstable; urgency=medium * Tighten permissions of /var/{lib,log}/redis. (Closes: #842987) - chmod(1) directories to 0750. - Allow local administrator to override permissions with dpkg-statoverride. - Set UMask= in .service files, at least to match SystemV initscripts. redis (3:3.2.5-1) unstable; urgency=medium * New upstream release. - Refresh debian/patches/0003-use-system-jemalloc.patch to accomodate missing -ldl flag. * Refresh all patches with "pq import / pq export". redis (3:3.2.4-2) unstable; urgency=medium * Ensure that sentinel's configuration actually writes to a pidfile location so that systemd can detect that the daemon has started. redis (3:3.2.4-1) unstable; urgency=medium * New upstream release. * Sync debian/sentinel.conf. * Add missing -ldl for dladdr(3). * Add missing Depends on lsb-base for /lib/lsb/init-functions usage in initscript. Thanks to Santiago Vila. (Closes: #838966) redis (3:3.2.3-2) unstable; urgency=medium * Call `ulimit -n 65536` by default from sysvinit scripts so behaviour is consistent with systemd. * Bump epoch as the "2" prefix makes it look like we are shipping version 2.x of Redis itself. redis (2:3.2.3-1) unstable; urgency=medium * New upstream release. - Drop 0007-Avoid-world-readable-.rediscli_history-Closes-832460.patch as was applied upstream. * Add copyright-format 1.0 headers. - Use "BSD-3-clause" over "BSD". - Use separate ``License`` paragraphs. - Ensure all wildcards in ``Files:`` sections match. * Check we are running as root in LSB initscripts. * Add debian/README.source regarding debian/{redis,sentinel}.conf. redis (2:3.2.2-1) unstable; urgency=medium * New upstream release. - Sync debian/redis.conf with upstream. - Sync debian/sentinel.conf with upstream. redis (2:3.2.1-4) unstable; urgency=high * Avoid race condition by setting and resetting umask(2) when writing to ~/.rediscli_history. (Closes: #832460) * Skip replication tests with timing issues. redis (2:3.2.1-3) unstable; urgency=medium * Avoid world_readable ~/.rediscli_history files. Thanks to kpcyrd <kpcyrd@rxv.cc>. (Closes: #832460) redis (2:3.2.1-2) unstable; urgency=medium * Avoid race conditions in upstream test suite. Thanks to Daniel Schepler <dschepler@gmail.com>. (Closes: #830500) redis (2:3.2.1-1) unstable; urgency=medium * New upstream release. * Sync debian/redis.conf redis (2:3.2.0-3) unstable; urgency=medium * Skip logging tests as not all architectures support it yet. * Tidy patches. redis (2:3.2.0-2) unstable; urgency=medium * Update redis.conf. redis (2:3.2.0-1) unstable; urgency=medium * New upstream release. * Update 03-use-system-jemalloc.diff. * Install redis-check-rdb (was: redis-check-dump). * Bump Standards-Version to 3.9.8. redis (2:3.0.7-4) unstable; urgency=medium * Actually specify a value for LimitNOFILE. redis (2:3.0.7-3) unstable; urgency=medium * Update .travis.yml. * Update redis-benchmark manpage. Thanks to Joe Doherty (docapotamus). * Add LimitNOFILE to allow a higher number of open file descriptors <https://github.com/lamby/pkg-redis/issues/8>. Thanks to @alexber220. redis (2:3.0.7-2) unstable; urgency=medium * Correct SOURCE_DATE_EPOCH patch to invert conditional. Thanks to Reiner Herrmann <reiner@reiner-h.de>. redis (2:3.0.7-1) unstable; urgency=medium * New upstream release. * Actually drop unused 05-reproducible-build.diff file. * Move to https Vcs-Git URI. redis (2:3.0.6-2) unstable; urgency=medium * Ensure that we always properly cleanup test processes (Closes: #808862) * Add explicit Build-Depends on procps. - Drop explicit pkill. * Use SOURCE_DATE_EPOCH instead of dpkg-parsechangelog so patch can go upstream. redis (2:3.0.6-1) unstable; urgency=medium * New upstream release. * Drop 06-CVE-2015-8080-Integer-wraparound-in-lua_struct.c-cau.patch as an equivalent change merged upstream. * Don't fail if redis user already exists. (Closes: #774736) redis (2:3.0.5-4) unstable; urgency=high * CVE-2015-8080: Integer wraparound in lua_struct.c causing stack-based buffer overflow (Closes: #804419) * Correct call to /bin/kill in redis-{server,sentinel}.service to avoid "kill: invalid argument T" messages when $MAINPID is not set. redis (2:3.0.5-3) unstable; urgency=medium * Add a redis-sentinel.tmpfile matching redis-server.tmpfile. * wrap-and-sort -sa * Rebase all patches with `gbp pq`. redis (2:3.0.5-2) unstable; urgency=medium * Also specify `ProtectSystem=true` over `ProtectSystem=full` in redis-server.service so that it can write its own configuration file when being run in cluster mode. (Closes: #803366) redis (2:3.0.5-1) unstable; urgency=medium * New upstream release. - Sync ./redis.conf and ./debian/redis.conf. redis (2:3.0.4-8) unstable; urgency=medium * Use `ProtectSystem=true` over `ProtectSystem=full` in redis-sentinel.service so that it can write its own configuration file under /etc. Thanks to Pete Hicks <jph@bebo.com> for the report and fix. (Closes: #799696) redis (2:3.0.4-7) unstable; urgency=medium * Change the default (and commented-out) value for "unixsocket" from /tmp/redis.sock -> /var/run/redis/redis.sock so that it will work even under systemd's PrivateTmp=True. Thanks to Chris <Fisch.666@gmx.de> (Closes: #801464) redis (2:3.0.4-6) unstable; urgency=medium * Allow redis-sentinel to actually write to its own directory; ReadWriteDirectories cannot take a filename as I previously thought. Thanks to Bernd Zeimetz <b.zeimetz@conova.com> for the prompt report. (Closes: #799696) redis (2:3.0.4-5) unstable; urgency=medium * Don't install /etc/redis/{redis,sentinel}.conf world-readable as they may contain passwords, additionally setting the ownership to ensure they can read their own configuration. (Closes: #800435) * Disable CAP_SYS_PTRACE in systemd service files * Add Documentation= header to systemd service files. * Add a "redis" systemd unit alias. redis (2:3.0.4-4) unstable; urgency=medium * Make the parallel change in 2:30.4-3 to redis-server's initscript, not just redis-sentinel's. redis (2:3.0.4-3) unstable; urgency=medium * Specific `-s /bin/sh` in su's call to start run-parts as the redis's user's shell of /bin/false was preventing it from starting under sysvinit. Thanks to Michal Humpula <michal.humpula@hudrydum.cz>. (Closes: #798951) redis (2:3.0.4-2) unstable; urgency=medium * Add PIDFile= to systemd service files. * Run /etc/redis/redis-server.post-up.d (etc.) under the 'redis' user, not root in initscript. - Document this in 00_example files. * Execute run-parts files under systemd, not just under sysvinit. (Closes: #798771) * Add rudimentary hardening under systemd. (Closes: #798770) redis (2:3.0.4-1) unstable; urgency=medium * New upstream release. - Sync debian/redis.conf. * Put --system further on to avoid issues with lintian false-positive (and to match the manpage). redis (2:3.0.3-3) unstable; urgency=medium * Replace ExecStop in systemd configuration with TimeoutStopSpec. Calls to `redis-cli shutdown` were not reliable if the port/UNIX socket had changed from the defaults (or is not accessible due to firewalling, permissions, etc.) Note that we cannot simply remove ExecStop (hence TimeoutStopSpec) as we must wait for the server to fully shutdown - it may not have finished writing the dump file to disk and thus we would be risking silent data loss if it is SIGKILL'd. Thanks to Chris Kuehl <ckuehl@ocf.berkeley.edu>. (Closes: #794437) redis (2:3.0.3-2) unstable; urgency=medium * Switch from RuntimeDirectory to systemd-tempfiles. Both redis-server and redis-sentinel use the the same RuntimeDirectory (/run/redis). This is wrong since systemd removes RuntimeDirectory on service stop. So, stopping redis-server removes redis-sentinel.pid as well. Using a systemd-tempfile is a more robust approach. We are also removing ExecStartPre lines since directory creation is handled in a different level. Thanks to Christos Trochalakis <yatiohi@ideopolis.gr>. (Closes: #793016) redis (2:3.0.3-1) unstable; urgency=medium * New upstream release. redis (2:3.0.2-3) unstable; urgency=medium * Add some missing tools: - ./utils/lru/ - ./src/redis-trib.rb - Don't compress redis-trib.rb - Add ruby-redis to Suggests. redis (2:3.0.2-2) unstable; urgency=medium * Create /var/run/redis with the correct permissions in systemd .service files. Thanks to Sebastian Lipponer <mail@sebastianlipponer.de>. (Closes: #787257) * Install Bash completions to /usr/share/bash-completion/completions instead of /etc/bash_completion.d (see #787257). redis (2:3.0.2-1) unstable; urgency=medium * New upstream release. redis (2:3.0.1-1) unstable; urgency=medium * New upstream release. redis (2:3.0.0-2) unstable; urgency=medium * redis-server was not able to start under systemd with default redis.conf due to the absence of /var/run/redis; when RuntimeDirectory is specified in *.service file, systemd creates the directory in /var/run and sets the correct permissions. Thanks to Mikhael A <spir@spir.ru>. redis (2:3.0.0-1) unstable; urgency=medium * New upstream stable release. redis (2:3.0.0~rc6-2) unstable; urgency=medium * Don't make test failures cause a build failure - known timing issues upstream. redis (2:3.0.0~rc6-1) unstable; urgency=medium * New upstream RC release. redis (2:3.0.0~rc5-2) unstable; urgency=medium * Upload to unstable. redis (2:3.0.0~rc5-1) experimental; urgency=medium * New upstream RC release. * wrap-and-sort entries. * Tidy debian/rules. * Move to debhelper compatibility level 9. * Don't run tests if nocheck specified. * Update debian/copyright. redis (2:3.0.0~rc4-1) experimental; urgency=medium * New upstream RC release. * wrap-and-sort. * Use the latest debian/changelog date in 05-reproducible-build.diff. redis (2:3.0.0~rc3-1) experimental; urgency=medium * New upstream RC release. redis (2:3.0.0~rc2-2) experimental; urgency=medium * Add Build-Depends on `tcl` for tests. * Add the following run-parts(8) directories that are be executed at the appropriate daemon start and stop actions: - /etc/redis/redis-server.pre-up.d - /etc/redis/redis-server.pre-down.d - /etc/redis/redis-server.post-up.d - /etc/redis/redis-server.post-down.d - /etc/redis/redis-sentinel.pre-up.d - /etc/redis/redis-sentinel.pre-down.d - /etc/redis/redis-sentinel.post-up.d - /etc/redis/redis-sentinel.post-down.d This is useful for loading Lua scripts which are not persisted across restarts. Scripts should be idempotent so that multiple calls to (eg.) "/etc/init.d/redis-server start" do not result in unintended consequences. * Also run Redis Sentinel tests. redis (2:3.0.0~rc2-1) experimental; urgency=low * New upstream RC release. - Sync debian/redis.conf. * Renable testsuite. * Add --oknodo to initscript "start" action to ensure correct return code if is already running. * Split redis-sentinel into its own package (Closes: #775414) - Move /usr/bin/redis-sentinel symlink to new package. - Fork ./sentinel.conf -> debian/sentinel.conf for own changes. - Add logrotate stanza. - Override permissions of /etc/redis/sentinel.conf with dpkg-statoverride - needs to be writable by Sentinel itself. redis (2:2.8.19-3) unstable; urgency=medium * Add DEP-8 smoke test. redis (2:2.8.19-2) unstable; urgency=low * Re-enable testsuite. - Add tcl to Build-Depends. * Add --oknodo to initscript "start" action to ensure correct return code if is already running. * Use the latest debian/changelog date in 05-reproducible-build.diff. redis (2:2.8.19-1) unstable; urgency=medium * New upstream release. redis (2:2.8.18-1) unstable; urgency=low * New upstream release. - Sync debian/redis.conf. * Attempt to make build reproducible by dropping timestamp/uname name from release.h. * Bump Standards-Version to 3.9.6. redis (2:2.8.17-1) unstable; urgency=medium * New upstream release. redis (2:2.8.14-1) unstable; urgency=low * New upstream release. * Guillaume Delacour: - Use dpkg-buildflags CFLAGS, CPPFLAGS (patch upstream Makefile) and LDFLAGS, also use pie and relro via DEB_BUILD_MAINT_OPTIONS - Call make V=1 to show gcc command lines (blhc) and enable parallel build * Sync debian/redis.conf and redis.conf. * Refresh 02-fix-ftbfs-on-kfreebsd patch. redis (2:2.8.13-3) unstable; urgency=low * Correct permissions of our /var directories by chowning them recursively. This is necessary, at least temporarily, as systemd users were previously running the daemon as root causing the files in those dirs to be owned by that user. We could be clever and only chown files owned by root to accomodate users who are not running as redis:redis but I think that's overkill. (Closes: #756709) redis (2:2.8.13-2) unstable; urgency=low * Under systemd, run under redis:redis. (Closes: #756621) redis (2:2.8.13-1) unstable; urgency=low * New upstream release. * Synchronise ./debian/redis.conf with ./redis.conf. * Update 03-use-system-jemalloc.diff. * Fix FTBFS under kfreebsd (Closes: #754634) redis (2:2.8.12-1) unstable; urgency=low * New upstream release. - Synchronise ./debian/redis.conf with ./redis.conf. redis (2:2.8.11-1) unstable; urgency=low * New upstream release. - Synchronise ./debian/redis.conf with ./redis.conf. * Drop copytruncate from logrotate stanza. * Prefer status_of_proc over `start-stop-daemon --stop --signal 0 ...` (Closes: #751839) redis (2:2.8.8-2) unstable; urgency=low * Add systemd support. Thanks to Wasif Malik <wmalik.ml@gmail.com>. (Closes: #743750) redis (2:2.8.8-1) unstable; urgency=low * New upstream release. - Sync debian/redis.conf and redis.conf. redis (2:2.8.7-2) unstable; urgency=low * Revamp maintainer scripts. (Closes: #741216) redis (2:2.8.7-1) unstable; urgency=low * New upstream release. redis (2:2.8.6-1) unstable; urgency=medium * New upstream release. redis (2:2.8.5-1) unstable; urgency=low * New upstream release. * Update debian/redis.conf to include new tcp-backlog option. redis (2:2.8.4-2) unstable; urgency=low * Symlink redis-sentinel to redis-server as it's the same binary. * Install sentinel.conf. redis (2:2.8.4-1) unstable; urgency=low * New upstream version. * Sync debian/redis.conf. * Also ship redis-sentinel (Closes: #735272) redis (2:2.8.2-1) unstable; urgency=low * New upstream version. redis (2:2.8.0-1) unstable; urgency=low * New upstream release. - Update debian/patches/02-fix-ftbfs-on-kfreebsd. - Update debian/patches/03-use-system-jemalloc.diff. - Update debian/redis.conf * Bump Standards-Version to 3.9.4. redis (2:2.6.16-3) unstable; urgency=low * Add missing Replaces and Breaks to redis-tools. Thanks to Andreas Beckmann (anbe). (Closes: #723703) redis (2:2.6.16-2) unstable; urgency=low * Completely rework and refresh debian/copyright. (Closes: #723162) * Update website in debian/copyright. * Drop client library references from debian/copyright (dropped in 2:1.1.90~beta-1). * Update main copyright year. redis (2:2.6.16-1) unstable; urgency=low * New upstream release. * Split non-server binaries into redis-tools package. (Closes: #723006) * Update debian/watch. redis (2:2.6.14-2) unstable; urgency=low * Source /lib/lsb/init-functions in initscript for systemd compatibility. redis (2:2.6.14-1) unstable; urgency=low * New upstream release. redis (2:2.6.13-1) unstable; urgency=low * New upstream release. - Sync debian/redis.conf. - Update 02-fix-ftbfs-on-kfreebsd.diff. redis (2:2.6.7-1) unstable; urgency=low * New upstream release. * Add missing "status" command from usage. Thanks to Dererk <dererk@debian.org>. (Closes: #696339) * Enable building on kfreebsd-amd64 (and possibly kfreebsd-i386 and hurd-i386) by not depending on 'jemalloc' which would not be used anyway. Thanks to Jeff Epler <jepler@unpythonic.net>. (Closes: #696618) redis (2:2.6.0-1) unstable; urgency=low * New upstream release. * Update 02-fix-ftbfs-on-kfreebsd.diff. * Update 03-use-system-jemalloc.diff. * Update configuration file. redis (2:2.4.17-1) unstable; urgency=low * New upstream release. * Bump Standards-Version to 3.9.3. redis (2:2.4.15-1) unstable; urgency=low * New upstream release. redis (2:2.4.14-1) unstable; urgency=low * New upstream release. redis (2:2.4.13-1) unstable; urgency=low * New upstream release. (Closes: #673202) * Sync upstream redis.conf changes with debian/redis.conf. redis (2:2.4.9-2) unstable; urgency=low * Add /etc/default/redis-server option to call ``ulimit -n'' before invoking Redis. (Closes: #672638) redis (2:2.4.9-1) unstable; urgency=low * New upstream release. redis (2:2.4.8-1) unstable; urgency=low * New upstream release. * Fix debian/watch (Closes: #661919) * Don't use jemalloc on archs not supporting it (Closes: #661354) redis (2:2.4.5-1) unstable; urgency=low * New upstream version (Closes: #655416) * Use system jemalloc. (Closes: #654900, #654902) redis (2:2.4.2-2) unstable; urgency=low * Fix test suite on sparc (Closes: #647627) redis (2:2.4.2-1) unstable; urgency=low * New upstream release. * /etc/init.d/redis-server fixes: - Send TERM, not QUIT signal. - Sleep 1 second after exiting as although the process has disappeared the server socket is somehow still in use which causes the start to fail. * Drop 01-fix-link-ordering patch; fixed upstream. <http://code.google.com/p/redis/issues/detail?id=562>. * Update 02-fix-ftbfs-on-kfreebsd. * Drop redis-doc package now that upstream no longer ship documentation. redis (2:2.4.0~rc5-1) experimental; urgency=low * New upstream RC release. * Update debian/redis.conf. * Drop documentation package - dropped upstream. redis (2:2.2.12-1) unstable; urgency=low * New upstream release. * Move runtime files to /var/run/redis/ and set that as default location for socket file. Thanks to Sandro Tosi <morph@debian.org>. (Closes: #632931) * Refresh fix-link-ordering patch. * Use "defined(__linux__) || defined(__GLIBC__)" for kfreebsd compatibility. Thanks to Robert Millan <rmh@debian.org>. (Closes: #632499) redis (2:2.2.11-3) unstable; urgency=low * Change default loglevel to "notice". * Wait forever for redis to stop - only waiting 10 seconds could cause data loss. * Set a proper default location for socket file. (Closes: #632931) redis (2:2.2.11-2) unstable; urgency=low * Fix FTBFS on kfreebsd. Thanks to Christoph Egger <christoph@debian.org> for the patch. (Closes: #632499) * Ship redis-check-aof and redis-check-dump. (Closes: #632858) redis (2:2.2.11-1) unstable; urgency=low * New upstream release. * Correct spelling of "Description" in patch system. redis (2:2.2.10-1) unstable; urgency=low * New upstream release. * Bump Standards-Version to 3.9.2. redis (2:2.2.8-1) unstable; urgency=low * New upstream release. * Add patch from Ubuntu to fix FTBFS due to --as-needed linking. Thanks to Nigel Babu <nigelbabu@ubuntu.com>. (Closes: #628056) redis (2:2.2.5-1) unstable; urgency=low * New upstream release. redis (2:2.2.4-1) unstable; urgency=low * New upstream release. redis (2:2.2.2-1) unstable; urgency=low * New upstream release. * Use userdel over deluser to prevent problems when purging package. (Closes: #618326) redis (2:2.2.1-1) unstable; urgency=low * New upstream release. (Closes: #604076) * Update install paths. redis (2:2.0.1-2) unstable; urgency=low * Upload to unstable. redis (2:2.0.1-1) experimental; urgency=low * New upstream release. * Update debian/watch to not match old tarballs. * Upstream now ships an install target; let's just ignore it for now. redis (2:2.0.0~rc4-1) experimental; urgency=low * New upstream RC release. * Bump Standards-Version to 3.9.1. * Remove mkreleasehdr.sh when building to avoid debian diff - it will regenerate release.h with different contents. redis (2:2.0.0~rc3-1) experimental; urgency=low * New upstream RC release. * Bump Standards-Version to 3.9.0. redis (2:2.0.0~rc2-1) experimental; urgency=low * New upstream RC release. redis (2:2.0.0~rc1-2) experimental; urgency=low * Add 'status' command to initscript. * Add redis-benchmark (and manpage) to package. (Closes: #587395) redis (2:2.0.0~rc1-1) experimental; urgency=low * New upstream release candidate. * Remove '01-dont-print-pid-on-startup.diff' patch. * Update local copy of redis.conf. redis (2:1.2.6-1) unstable; urgency=low * New upstream release. redis (2:1.2.5-1) unstable; urgency=low * New upstream release. * Drop 02-fix-segfault-indupClientReplyValue.diff; applied upstream via <http://code.google.com/p/redis/issues/detail?id=177>. redis (2:1.2.4-1) unstable; urgency=low * New upstream release. redis (2:1.2.3-1) unstable; urgency=low * New upstream release. redis (2:1.2.2-2) unstable; urgency=low * Really fix segfault in dupClientReplyValue. (Closes: #570371) redis (2:1.2.2-1) unstable; urgency=low * New upstream release. - Fixes segfault in dupClientReplyValue. Thanks to Hirling Endre <endre@dawn.royalcomp.hu> (Closes: #570371) redis (2:1.2.1-1) unstable; urgency=low * New upstream release. * Add Bash completion script for redis-cli by Steve Kemp <skx@debian.org>. (Closes: #565358) * Bump Standards-Version to 3.8.4. * Add $remote_fs to LSB "Required-{Start,Stop}" initscript headers. redis (2:1.2.0-1) unstable; urgency=low * New upstream stable release. * Switch to dpkg-source 3.0 (quilt) format. * Patch out printing of pid on startup. redis (2:1.1.95~beta-2) unstable; urgency=low * Set source section to "database" from "misc". * Add redis-cli binary to "redis-server" package. redis (2:1.1.95~beta-1) unstable; urgency=low * New upstream release. * Sync debian/redis.conf with upstream version (new "rdbcompression" and "masterauth" commands). redis (2:1.1.90~beta-1) unstable; urgency=low * New upstream release: - Bump the epoch as dpkg considers 1.1.90 to be less than 1.02. - Sync redis.conf * Don't build client libraries anymore; not part of the upstream tarball anymore. * Don't export CFLAGS from debian/rules to prevent FTBFS when dpkg-provided CFLAGS does not include --std=c99. * Modify debian/watch to consider "-beta" the same as "~beta" for correct dpkg ordering. redis (1:1.02-1) unstable; urgency=low * New upstream release. redis (1:1.01-1) unstable; urgency=low * New upstream release. - "maxmemory now works well on 64bit systems with > 4GB of RAM" redis (1:1.0-1) unstable; urgency=low * New upstream release. * Bump Standards-Version to 3.8.3. * Drop patch system: - 01-recommend-sysctl-conf.diff; applied upstream. - 02-warn-after-daemonising.diff; applied upstream. - 03-only-mangle-trace-on-ia64-and-x86.diff; applied upstream. - Drop quilt Build-Depends and remove patches/series. * Use "override_dh_auto_clean" instead of "clean" target. redis (1:0.900-3) unstable; urgency=low * Actually add architecture patch introducted in 1:0.900-2 to quilt 'series' (Closes: #533763) * Correct "/proc/sys/vm/overcommit_memory" message to print the correct string to add to sysctl.conf. redis (1:0.900-2) unstable; urgency=low * Add patch to avoid mangling the stacktrace on SIGSEGV using X86-specific ucontext struct, etc. (Closes: #533763) * Bump Standards-Version to 3.8.2. redis (1:0.900-1) unstable; urgency=low * New upstream release. - Update debian/redis.conf * Update versionmangle in debian/watch. * "/proc/sys/vm/overcommit_memory" message: - Recommend modifying /etc/sysctl.conf instead of using "boot scripts" - Warn after daemonising to avoid message being spammed on every boot. redis (1:0.100-1) unstable; urgency=low * New upstream release. - Update debian/redis.conf redis (1:0.096-1) unstable; urgency=low * New upstream version. redis (1:0.095-1) unstable; urgency=low * New upstream version. redis (1:0.094-3) unstable; urgency=low * Really upload to unstable - I give "debchange -r" less credit than it deserves. redis (1:0.094-2) experimental; urgency=low * Upload to unstable. * Add libredis-perl package. redis (1:0.094-1) experimental; urgency=low * New upstream release. * Place libphp-redis package into 'php' section. * Update debian/copyright with new libraries. * Correct Vcs-Browser location. redis (1.0~beta8-1) experimental; urgency=low * New upstream release. redis (1.0~beta7-1) experimental; urgency=low * Initial release. (Closes: #518700)

@alexber220

redis (5:6.0.16-1ubuntu1) jammy; urgency=medium * SECURITY UPDATE: Lua sandbox escape - debian/rules: Ensure arbitrary Lua functionality is not permitted by specifying a nil package - CVE-2022-0543 redis (5:6.0.16-1build1) jammy; urgency=medium * No-change rebuild against libssl3 redis (5:6.0.16-1) unstable; urgency=medium * New upstream security release: - CVE-2021-32762: Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on some older and less common platforms. - CVE-2021-32687: Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value. - CVE-2021-32675: Denial Of Service when processing RESP request payloads with a large number of elements on many connections. - CVE-2021-32672: Random heap reading issue with Lua Debugger. - CVE-2021-32628: Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value. - CVE-2021-32627: Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for proto-max-bulk-len and client-query-buffer-limit. - CVE-2021-32626: Specially crafted Lua scripts may result with Heap buffer overflow. - CVE-2021-41099: Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured to a non-default, very large value. * Refresh patches. * Bump Standards-Version to 4.6.0. redis (5:6.0.15-1) unstable; urgency=medium * New upstream security release. - CVE-2021-32761: Integer overflow issues with BITFIELD command on 32-bit systems. * Bump Standards-Version to 4.5.1. redis (5:6.0.14-1) unstable; urgency=medium * CVE-2021-32625: Fix a vulnerability in the STRALGO LCS command. (Closes: #989351) redis (5:6.0.13-1) unstable; urgency=medium * New upstream security release: - CVE-2021-29477: Vulnerability in the STRALGO LCS command. - CVE-2021-29478: Vulnerability in the COPY command for large intsets. (Closes: #988045) * Refresh patches. redis (5:6.0.12-1) unstable; urgency=medium * New upstream release. redis (5:6.0.11-1) unstable; urgency=medium * New upstream release, incorporating security issues. (Closes: #983446) - Refresh patches. redis (5:6.0.10-4) unstable; urgency=medium * New upstream release - Fix cluster access to unaligned memory on ARM architectures with hard alignment requirements such as armhf and arm64. (Closes: #982504) * wrap-and-sort -sa. redis (5:6.0.9-4) unstable; urgency=medium * Send systemd readiness notification when we are ready to accept connections in order to fix systemd integration when Redis is used with replicaof. Thanks to Guillem Jover for the report and patch. (Closes: #981226) redis (5:6.0.9-3) unstable; urgency=medium * Also remove the /etc/redis directory in purge. * Allow /etc/redis to be rewritten. Thanks to Yossi Gottlieb for the patch. (Closes: #981000) redis (5:6.0.9-2) unstable; urgency=medium * Enable systemd Type=notify support. Thanks to Michael Prokop for all his help in integration. (Closes: #977852) * Bump Standards-Version to 4.5.1. redis (5:6.0.9-1) unstable; urgency=medium * New upstream release. - Update patches. redis (5:6.0.8-2) unstable; urgency=medium * Apply a patch from Yossi Gottlieb to fix a crash when reporting RDB/AOF file errors. (Closes: #972683) * Refresh patches. redis (5:6.0.8-1) unstable; urgency=medium * New upstream release. redis (5:6.0.7-1) unstable; urgency=medium * New upstream release. * Refresh patches. * Set some Forwarded headers. redis (5:6.0.6-1) unstable; urgency=medium * New upstream release. <https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES> * Refresh patches. redis (5:6.0.5-1) unstable; urgency=medium * New upstream release. <https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES> redis (5:6.0.4-1) unstable; urgency=medium * New upstream release. <https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES> redis (5:6.0.3-1) unstable; urgency=medium * New upstream release. <https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES> redis (5:6.0.1-2) unstable; urgency=medium * Upload to unstable. redis (5:6.0.1-1) experimental; urgency=medium * New upstream "General Availability" release. <https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES> redis (5:6.0.0-2) unstable; urgency=medium * Mark 0004-redis-check-rdb as being flaky for now. * Wrap long changelog line. * Correct spelling mistake in autopkgtest comment. redis (5:6.0.0-1) unstable; urgency=medium * New upstream "GA" release. <https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES> - Drop 0002-Mark-extern-definition-of-SDS_NOINIT-in-sds.h.patch; merged upstream. * Upload to unstable. - Update debian/gbp.conf. redis (5:6.0~rc4-1) experimental; urgency=medium * New upstream beta release. <https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES> * Use the newly-package liblzf-dev package over the local version. (Closes: #958321) * Refresh patches. redis (5:6.0~rc3-1) experimental; urgency=medium * New upstream beta release. <https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES> redis (5:6.0~rc2-1) experimental; urgency=medium * New upstream beta release. <https://raw.githubusercontent.com/antirez/redis/6.0/00-RELEASENOTES> * Refresh patches. redis (5:6.0~rc1-3) experimental; urgency=medium * Install openssl in the testsuite; required for generating test certificates. * Correct a typo in a previous changelog entry. redis (5:6.0~rc1-2) experimental; urgency=medium * Add support for TLS added in Redis 6.x. Thanks to Jason Perrin for the patch. (Closes: #951255) * Add a comment regarding why we export a MAKEFLAGS variable in debian/rules. * Bump Standards-Version to 4.5.0. redis (5:6.0~rc1-1) experimental; urgency=medium * New upstream RC1 release. <http://antirez.com/news/131> * Refresh patches. * Disable using the system hiredis for now, awaiting a a new upstream release. redis (5:5.0.7-7) unstable; urgency=medium * Add a sleep to ensure that the redis server has started before running the autopkgtests. redis (5:5.0.7-6) unstable; urgency=medium * No change sourceful upload to permit migration to testing. redis (5:5.0.7-5) unstable; urgency=medium * Ensure that the redis daemon is running prior to running the autopkgtests. redis (5:5.0.7-4) unstable; urgency=medium * Use the newly-package liblzf-dev package over the local version. (Closes: #958321) * Don't duplicate long description of the redis-server package in the metapackage. redis (5:5.0.7-3) unstable; urgency=medium * Fix FTBFS with GCC 10. (Closes: #957751) * Refresh all patches. redis (5:5.0.7-2) unstable; urgency=medium [ Christian Göttsche ] * Update systemd service to reflect new names, etc. * Create directories in postinst with correct SELinux context. [ Chris Lamb ] * Bump Standards-Version to 4.5.0. [ David Prévot ] * Update long description to remove duplicate information. redis (5:5.0.7-1) unstable; urgency=medium * New upstream bugfix release. <https://groups.google.com/forum/#!topic/redis-db/LYBeXlUKU6c> * Bump Standards-Version to 4.4.1. * Run wrap-and-sort -sa. redis (5:5.0.6-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/qTRdgyEbyYU> * Specify "Rules-Requires-Root: no">. redis (5:5.0.5-2) unstable; urgency=medium * Sourceful upload to unstable to ensure testing migration. * Bump Standards-Version to 4.4.0. * Don't build release tags in gitlab-ci.yml. redis (5:5.0.5-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/jSAtf64lIW4> redis (5:5.0.4-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/aXusvS8da8g> redis (5:5.0.3-4) unstable; urgency=medium [ Helmut Grohne ] * Fix cross build failure by building the non-bundled Lua libraries via dh_auto_build. (Closes: #919862) redis (5:5.0.3-3) unstable; urgency=medium * Fix FTBFS on hurd-i386 by updating patch to aof.c to avoid MAXPATHLEN reference. * debian/control: - Add missing Pre-Depends on ${misc:Pre-Depends}. - Bump Standards-Version to 4.3.0. * Bump debhelper compat level to 12. redis (5:5.0.3-2) unstable; urgency=medium * Pass --no-as-needed to ensure linking to the Lua libraries on systems with --as-needed as the default. (Closes: #916831) redis (5:5.0.3-1) unstable; urgency=medium * New upstream release. - Drop 0009-Don-t-treat-unsupported-protocols-as-fatal-errors.patch as it was merged upstream. - Refresh all patches. redis (5:5.0.2-1) unstable; urgency=medium * New upstream release. redis (5:5.0.1-2) unstable; urgency=medium * Refresh patches. * Ensure that lack of IPv6 support does not prevent Redis from starting on Debian where we bind to the ::1 interface by default. (Closes: #900284, #914354) redis (5:5.0.1-1) unstable; urgency=medium * New upstream release. * Ensure that Debian-supplied Lua libraries are available using "require" during Lua scripting to prevent an issue where we could not use the (eg.) cjson library anymore library anymore. This was a regression introduced in 5:5.0~rc4-3. Thanks to Nicolas Le Manchet <nicolas@lemanchet.fr> for the report and testcase. (Closes: #913185) * Refer to /run directly in .service files; /var/run is now merely a symlink pointing to /run and thus it is now considered best practice to use /run directly. * debian/rules: - Document why we run make in the deps/lua/src directory. - Add documentation for LUA_LIBS_{DEBIAN,BUNDLED}. - Call $(MAKE) instead of "make". - Re-order targets to match usual order. redis (5:5.0.0-2) unstable; urgency=medium * Update our patch to sentinel.conf to ensure the correct runtime PID file location. (Closes: #911407) * Listen on ::1 interfaces too for redis-sentinel to match redis-server. * Also run the new "LOLWUT" command in the redis-cli autopkgtest. redis (5:5.0.0-1) unstable; urgency=medium * New upstream stable release to unstable. <https://groups.google.com/forum/#!topic/redis-db/l0OXDAlwosU> * Refresh patches. * Update Vcs-Git. redis (5:5.0~rc5-2) experimental; urgency=medium * Use the system hiredis now that #907259 has landed. (Closes: #907258) redis (5:5.0~rc5-1) experimental; urgency=medium * New upstream release. - Drop 0004-SOURCE_DATE_EPOCH.patch; merged upstream. * debian/watch: Use releases from <https://github.com/antirez/redis/releases> (not Git) to find RC/beta releases, etc. redis (5:5.0~rc4-4) experimental; urgency=medium * Stop playing whack-a-mole with nondeterminstic testsuite and run with "|| true" on all architectures. (Closes: #908540) * Drop ${shlibs:Depends} substvars on "Architecture: any" binary packages. * Add upstream URIs for patches to support non-embedded jemalloc and Lua. * Bump Standards-Version to 4.2.1. redis (5:5.0~rc4-3) experimental; urgency=medium * Add support for (and use) a USE_SYSTEM_LUA flag. (Closes: #901669) * Add support for (and use) a USE_SYSTEM_JEMALLOC flag. * Refresh 0003-dpkg-buildflags patch. * Append "-b debian/experimental" to Vcs-Git line to fix "unpushed changes" vcswatch.cgi false-positives. redis (5:5.0~rc4-2) experimental; urgency=medium * Drop a non-determinstic "dump" test. redis (5:5.0~rc4-1) experimental; urgency=medium * New upstream RC release. <https://groups.google.com/forum/#!topic/redis-db/aXusvS8da8g> - Refresh 0002-use-system-jemalloc.patch - Refresh 0003-dpkg-buildflags.patch - Refresh 0006-Drop-tests-with-timing-issues.patch - Refresh 0009-Drop-memory-efficiency-tests-on-advice-from-upstream.patch redis (5:4.0.11-3) unstable; urgency=medium * Stop playing whack-a-mole with nondeterminstic testsuite and run with "|| true" on all architectures. (Closes: #908540) * Drop ${shlibs:Depends} substvars on "Architecture: any" binary packages. * Bump Standards-Version to 4.2.1. redis (5:4.0.11-2) unstable; urgency=medium * Revert "Move to debhelper-compat (= 11) in Build-Depends." as dak will REJECT with "missing-build-dependency debhelper". redis (5:4.0.11-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/aXusvS8da8g> * Bump Standards-Version to 4.2.0. * Move to debhelper-compat (= 11) in Build-Depends. redis (5:4.0.10-2) unstable; urgency=medium [ Daniel Shahaf ] * redis-benchmark(1): Fix default of -n argument. (Closes: #903044) [ Chris Lamb ] * Add CVE entries to (released) changelog entry. * Bump Standards-Version to 4.1.5. redis (5:4.0.10-1) unstable; urgency=medium * CVE-2018-11218, CVE-2018-11219: New upstream security release. <redis/redis#5017> for more information. (Closes: #901495) redis (5:4.0.9-4) unstable; urgency=medium * Update Vcs-* headers to point to salsa.debian.org. * Move to HTTPS Homepage URI. * wrap-and-sort -sa. redis (5:4.0.9-3) unstable; urgency=medium * Make /var/log/redis, etc. owned by root:adm, not root:root. Thanks to Thomas Goirand. (Closes: #900496) redis (5:4.0.9-2) unstable; urgency=medium * Ignore test failures on problematic archs. * Bump Standards-Version to 4.1.4. redis (5:4.0.9-1) unstable; urgency=medium * New upstream release. * Refresh all patches. redis (5:4.0.8-2) unstable; urgency=medium * Also listen on ::1 for IPv6 by default. (Closes: #891432) redis (5:4.0.8-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/FGplxMEGEMo> * Update lintian overrides after rename of debian-watch-may-check-gpg-signature → debian-watch-does-not-check-gpg-signature. * Drop "recursive" argument to chown in postinst script to prevent hardlink vulnerability. redis (5:4.0.7-1) unstable; urgency=medium * New upstream release. <https://groups.google.com/forum/#!topic/redis-db/gngqHoh-kRM> * Refresh patches. redis (5:4.0.6-5) unstable; urgency=medium * Update redis-sentinel's symlink to usr/bin/redis-check-rdb to match redis-server. This avoids a dangling symlink (and thus a broken package) if redis-server is not installed. (Closes: #884321) * Move to debhelper compat level 11. - Drop reference to --with=systemd - systemd-sequence is no longer provided in compat >= 11. * Use https URI for copyright format specification in debian/copyright. redis (5:4.0.6-4) unstable; urgency=medium * Re-add procps to Build-Depends. (Closes: #887075) redis (5:4.0.6-3) unstable; urgency=medium * Use --clients argument to runtest to force single-threaded operation over using taskset. * Bump Standards-Version to 4.1.3. redis (5:4.0.6-2) unstable; urgency=medium * Replace redis-sentinel's main dependency with redis-tools from redis-server, necessarily moving the creating/deletion of the "redis" user and associated data and log directories to redis-tools. (Closes: #884321) * Add stub manpages for redis-sentinel, redis-check-aof and redis-check-rdb. * Bump Standards-Version to 4.1.2. redis (5:4.0.6-1) unstable; urgency=medium * New upstream bugfix release. redis (5:4.0.5-1) unstable; urgency=medium * New upstream release. * debian/control: Use "metapackage" over "meta-package". * debian/patches: - Drop 0008-CVE-2017-15047-Fix-buffer-overflows-occurring-readin. - Refresh. redis (4:4.0.2-9) unstable; urgency=medium * Also update aof.c for MAXPATHLEN issues. (Closes: #881684) redis (4:4.0.2-8) unstable; urgency=medium * Use get_current_dir_name over PATHMAX, etc. (Closes: #881684) * Don't rely on taskset existing for kFreeBSD-*. (Closes: #881683) * Drop "memory efficiency" tests on advice from upstream. (Closes: #881682) * Correct BSD-3-clause -> BSD-2-clause for Marc Alexander Lehmann's attribution in debian/copyright. * Let package be bin-NMUable. redis (4:4.0.2-7) unstable; urgency=medium * Add a "redis" metapackage. (Closes: #876475) * Drop conditionally exporting FORCE_LIBC_MALLOC; upstreamed since 2.6.0-1. redis (4:4.0.2-6) unstable; urgency=medium * Correct locations of redis-sentinel pidfiles. Thanks to Nicolas Payart for the patch. (Closes: #880980) redis (4:4.0.2-5) unstable; urgency=medium * CVE-2017-15047: Replace existing patch with upstream-blessed version that covers another case. (Closes: #878076) redis (4:4.0.2-4) unstable; urgency=medium * CVE-2017-15047: Add input validity checking to redis cluster config slot numbers. (Closes: #878076) * Drop debian/bin/generate-parts script now we aren't calling it. * Correct Bash-esque in NEWS. * Upstream are not providing signed tarballs, so ignore the "debian-watch-may-check-gpg-signature" Lintian tag, * Drop trailing whitespace in debian/changelog. * Use HTTPS URI in debian/watch. redis (4:4.0.2-3) unstable; urgency=medium * Drop Debian-specific support for /etc/redis/redis-{server,sentinel}.{pre,post}-{up,down}.d and remove them if unchanged. * Include systemd redis-server@.service and redis-sentinel@.service template files to easily run multiple instances. (Closes: #877702) * Patch redis.conf and sentinel.conf with quilt instead of maintaining our own versions under debian/. * Refresh all patches. * Bump Standards-Version to 4.1.1. redis (4:4.0.2-2) unstable; urgency=medium * Update 0004-redis-check-rdb test to ensure that redis.rdb exists before testing it. redis (4:4.0.2-1) unstable; urgency=medium * New upstream release ("Upgrade urgency HIGH: Several potentially critical bugs fixed.") * Bump Standards-Version to 4.1.0. * Drop Build-Depends on dh-systemd (>= 1.5). redis (4:4.0.1-7) unstable; urgency=medium * Don't let sentinel tests fail the build; they use too many timers to be useful and/or meaningful. (Closes: #872075) redis (4:4.0.1-6) unstable; urgency=medium * Don't install completions to /usr/share/bash-completion/completions/debian/bash_completion/. redis (4:4.0.1-5) unstable; urgency=medium * Tidy debian/tests/control. * Drop even more tests with timing issues. redis (4:4.0.1-4) unstable; urgency=medium * Split tests into separate files. * Tighten systemd/seccomp hardening. redis (4:4.0.1-3) unstable; urgency=medium * Drop yet more non-deterministic tests. redis (4:4.0.1-2) unstable; urgency=medium * Skip yet more non-deterministic replication tests that rely on timing. (Closes: #857855) redis (4:4.0.1-1) unstable; urgency=medium * New upstream version. * Install 00-RELEASENOTES as the upstream changelog. * Use "dh_auto_clean" over "clean" target. redis (4:4.0.0-3) unstable; urgency=medium * Add -latomic to LDFLAGS to attempt to avoid FTBFS on mips{,el}. * Allow ulimit calls to fail in sysvinit scripts to avoid issues when running in a containerised environment. See <travis-ci/travis-ci#7941>. redis (4:4.0.0-2) unstable; urgency=medium * Make /usr/bin/redis-server in the main redis-server package a symlink to /usr/bin/redis-check-rdb in the redis-tools package. Whilst this prevents a wasteful duplication of a binary, it moreover ensures there are no duplicate debug symbols which was preventing the simultaneous installation of the redis-server-dbgsym and redis-tools-dbgsym packages. Note that this results in the peculiar (and possibily confusing) situation where the main package does not have the main binary anymore, or indeed any binaries whatsoever. See also the previous parallel attempt at a symlink changes in 3.2.6-3 which was reverted in 3.2.8-3. Thanks to Adrian Bunk for the report. (Closes: #868551) redis (4:4.0.0-1) unstable; urgency=medium * New upstream major release. * Bump Standards-Version to 4.0.0. * Refresh, renumber and reorganise patches. redis (3:3.2.9-1) unstable; urgency=medium * New upstream minor bugfix release. * Specify <!nocheck> for test-related Build-Depends. * Bump debhelper compatibility level to 10. redis (3:3.2.8-3) unstable; urgency=medium * Revert the creation of the redis-tools:/usr/bin/redis-check-rdb -> redis-server:/usr/bin/redis-server symlink to avoid a dangling symlink if only the redis-tools binary package is installed. This was a regression since 3:3.2.6-3 where we attempted to avoid shipping duplicate file; the redis-server binary changes behaviour based on the contents of argv. One alternative would be to ship a symlink in redis-server but that would mean users wishing to check RDB databases would have to install the server package, so reverting to shipping a duplicate file seems justified. (Closes: #858519) redis (3:3.2.8-2) unstable; urgency=medium * Avoid conflict between RuntimeDirectory and tmpfiles.d(5) both attempting to create /run/redis with differing permissions. This prevents an installation error on Jessie where /run/redis was first being created by the tmpfiles.d(5) mechanism and then subsequently via the RuntimeDirectory directive. Due to a bug in Jessie's systemd, this caused a package installation error as systemd was too strict about permissions if the target already exists: <systemd/systemd#896> The redis-{server,sentinel} daemon would actually start successfully a few milliseconds later due to the Restart=always directive. We work around this this by dropping the tmpfiles.d(5) handling and moving entirely to RuntimeDirectory{,Mode}; we are not using any special handling requiring tmpfiles.d(5) and we appear to need RuntimeDirectory anyway for #846350. (Closes: #856116) redis (3:3.2.8-1) unstable; urgency=medium * New upstream release. redis (3:3.2.7-1) unstable; urgency=medium * New upstream release. redis (3:3.2.6-6) unstable; urgency=medium * Use --cpu-list 0 (not --cpu-list 1) to ensure compilation on single-CPU machines. (Closes: #852347) redis (3:3.2.6-5) unstable; urgency=medium * Re-add taskset calls to try and avoid FTBFS due to parallelism in upstream test suite. redis (3:3.2.6-4) unstable; urgency=medium * Expand the documentation in redis-server.service and redis-sentinel regarding the default hardening options. redis (3:3.2.6-3) unstable; urgency=medium * Don't ship a "duplicate" redis-server binary in redis-tools as /usr/bin/redis-check-rdb (it checks argv to change its behaviour) by replacing it with a symlink. Found by <https://dedup.debian.net/>. redis (3:3.2.6-2) unstable; urgency=medium * Rename RunTimeDirectory -> RuntimeDirectory in .service files. (Closes: #850534) * Refresh all patches with pq import -> pq export. * Tidy all patches, updating descriptions and use Pq-Topic to organise. redis (3:3.2.6-1) unstable; urgency=medium * New upstream release. * Add debian/gbp.conf to reflect new repository layout. redis (3:3.2.5-6) unstable; urgency=medium * Add missing Depends on lsb-base for /lib/lsb/init-functions usage in redis-sentinel's initscript too. See #838966 for the parallel change to redis-server's initscript. redis (3:3.2.5-5) unstable; urgency=medium * Add RunTimeDirectory=redis to systemd .service files. (Closes: #846350) redis (3:3.2.5-4) unstable; urgency=medium * Install upstream's MANIFESTO and README.md. redis (3:3.2.5-3) unstable; urgency=medium * Also run redis-benchmark in autopkgtests to stress-test the installation better. redis (3:3.2.5-2) unstable; urgency=medium * Tighten permissions of /var/{lib,log}/redis. (Closes: #842987) - chmod(1) directories to 0750. - Allow local administrator to override permissions with dpkg-statoverride. - Set UMask= in .service files, at least to match SystemV initscripts. redis (3:3.2.5-1) unstable; urgency=medium * New upstream release. - Refresh debian/patches/0003-use-system-jemalloc.patch to accomodate missing -ldl flag. * Refresh all patches with "pq import / pq export". redis (3:3.2.4-2) unstable; urgency=medium * Ensure that sentinel's configuration actually writes to a pidfile location so that systemd can detect that the daemon has started. redis (3:3.2.4-1) unstable; urgency=medium * New upstream release. * Sync debian/sentinel.conf. * Add missing -ldl for dladdr(3). * Add missing Depends on lsb-base for /lib/lsb/init-functions usage in initscript. Thanks to Santiago Vila. (Closes: #838966) redis (3:3.2.3-2) unstable; urgency=medium * Call `ulimit -n 65536` by default from sysvinit scripts so behaviour is consistent with systemd. * Bump epoch as the "2" prefix makes it look like we are shipping version 2.x of Redis itself. redis (2:3.2.3-1) unstable; urgency=medium * New upstream release. - Drop 0007-Avoid-world-readable-.rediscli_history-Closes-832460.patch as was applied upstream. * Add copyright-format 1.0 headers. - Use "BSD-3-clause" over "BSD". - Use separate ``License`` paragraphs. - Ensure all wildcards in ``Files:`` sections match. * Check we are running as root in LSB initscripts. * Add debian/README.source regarding debian/{redis,sentinel}.conf. redis (2:3.2.2-1) unstable; urgency=medium * New upstream release. - Sync debian/redis.conf with upstream. - Sync debian/sentinel.conf with upstream. redis (2:3.2.1-4) unstable; urgency=high * Avoid race condition by setting and resetting umask(2) when writing to ~/.rediscli_history. (Closes: #832460) * Skip replication tests with timing issues. redis (2:3.2.1-3) unstable; urgency=medium * Avoid world_readable ~/.rediscli_history files. Thanks to kpcyrd <kpcyrd@rxv.cc>. (Closes: #832460) redis (2:3.2.1-2) unstable; urgency=medium * Avoid race conditions in upstream test suite. Thanks to Daniel Schepler <dschepler@gmail.com>. (Closes: #830500) redis (2:3.2.1-1) unstable; urgency=medium * New upstream release. * Sync debian/redis.conf redis (2:3.2.0-3) unstable; urgency=medium * Skip logging tests as not all architectures support it yet. * Tidy patches. redis (2:3.2.0-2) unstable; urgency=medium * Update redis.conf. redis (2:3.2.0-1) unstable; urgency=medium * New upstream release. * Update 03-use-system-jemalloc.diff. * Install redis-check-rdb (was: redis-check-dump). * Bump Standards-Version to 3.9.8. redis (2:3.0.7-4) unstable; urgency=medium * Actually specify a value for LimitNOFILE. redis (2:3.0.7-3) unstable; urgency=medium * Update .travis.yml. * Update redis-benchmark manpage. Thanks to Joe Doherty (docapotamus). * Add LimitNOFILE to allow a higher number of open file descriptors <https://github.com/lamby/pkg-redis/issues/8>. Thanks to @alexber220. redis (2:3.0.7-2) unstable; urgency=medium * Correct SOURCE_DATE_EPOCH patch to invert conditional. Thanks to Reiner Herrmann <reiner@reiner-h.de>. redis (2:3.0.7-1) unstable; urgency=medium * New upstream release. * Actually drop unused 05-reproducible-build.diff file. * Move to https Vcs-Git URI. redis (2:3.0.6-2) unstable; urgency=medium * Ensure that we always properly cleanup test processes (Closes: #808862) * Add explicit Build-Depends on procps. - Drop explicit pkill. * Use SOURCE_DATE_EPOCH instead of dpkg-parsechangelog so patch can go upstream. redis (2:3.0.6-1) unstable; urgency=medium * New upstream release. * Drop 06-CVE-2015-8080-Integer-wraparound-in-lua_struct.c-cau.patch as an equivalent change merged upstream. * Don't fail if redis user already exists. (Closes: #774736) redis (2:3.0.5-4) unstable; urgency=high * CVE-2015-8080: Integer wraparound in lua_struct.c causing stack-based buffer overflow (Closes: #804419) * Correct call to /bin/kill in redis-{server,sentinel}.service to avoid "kill: invalid argument T" messages when $MAINPID is not set. redis (2:3.0.5-3) unstable; urgency=medium * Add a redis-sentinel.tmpfile matching redis-server.tmpfile. * wrap-and-sort -sa * Rebase all patches with `gbp pq`. redis (2:3.0.5-2) unstable; urgency=medium * Also specify `ProtectSystem=true` over `ProtectSystem=full` in redis-server.service so that it can write its own configuration file when being run in cluster mode. (Closes: #803366) redis (2:3.0.5-1) unstable; urgency=medium * New upstream release. - Sync ./redis.conf and ./debian/redis.conf. redis (2:3.0.4-8) unstable; urgency=medium * Use `ProtectSystem=true` over `ProtectSystem=full` in redis-sentinel.service so that it can write its own configuration file under /etc. Thanks to Pete Hicks <jph@bebo.com> for the report and fix. (Closes: #799696) redis (2:3.0.4-7) unstable; urgency=medium * Change the default (and commented-out) value for "unixsocket" from /tmp/redis.sock -> /var/run/redis/redis.sock so that it will work even under systemd's PrivateTmp=True. Thanks to Chris <Fisch.666@gmx.de> (Closes: #801464) redis (2:3.0.4-6) unstable; urgency=medium * Allow redis-sentinel to actually write to its own directory; ReadWriteDirectories cannot take a filename as I previously thought. Thanks to Bernd Zeimetz <b.zeimetz@conova.com> for the prompt report. (Closes: #799696) redis (2:3.0.4-5) unstable; urgency=medium * Don't install /etc/redis/{redis,sentinel}.conf world-readable as they may contain passwords, additionally setting the ownership to ensure they can read their own configuration. (Closes: #800435) * Disable CAP_SYS_PTRACE in systemd service files * Add Documentation= header to systemd service files. * Add a "redis" systemd unit alias. redis (2:3.0.4-4) unstable; urgency=medium * Make the parallel change in 2:30.4-3 to redis-server's initscript, not just redis-sentinel's. redis (2:3.0.4-3) unstable; urgency=medium * Specific `-s /bin/sh` in su's call to start run-parts as the redis's user's shell of /bin/false was preventing it from starting under sysvinit. Thanks to Michal Humpula <michal.humpula@hudrydum.cz>. (Closes: #798951) redis (2:3.0.4-2) unstable; urgency=medium * Add PIDFile= to systemd service files. * Run /etc/redis/redis-server.post-up.d (etc.) under the 'redis' user, not root in initscript. - Document this in 00_example files. * Execute run-parts files under systemd, not just under sysvinit. (Closes: #798771) * Add rudimentary hardening under systemd. (Closes: #798770) redis (2:3.0.4-1) unstable; urgency=medium * New upstream release. - Sync debian/redis.conf. * Put --system further on to avoid issues with lintian false-positive (and to match the manpage). redis (2:3.0.3-3) unstable; urgency=medium * Replace ExecStop in systemd configuration with TimeoutStopSpec. Calls to `redis-cli shutdown` were not reliable if the port/UNIX socket had changed from the defaults (or is not accessible due to firewalling, permissions, etc.) Note that we cannot simply remove ExecStop (hence TimeoutStopSpec) as we must wait for the server to fully shutdown - it may not have finished writing the dump file to disk and thus we would be risking silent data loss if it is SIGKILL'd. Thanks to Chris Kuehl <ckuehl@ocf.berkeley.edu>. (Closes: #794437) redis (2:3.0.3-2) unstable; urgency=medium * Switch from RuntimeDirectory to systemd-tempfiles. Both redis-server and redis-sentinel use the the same RuntimeDirectory (/run/redis). This is wrong since systemd removes RuntimeDirectory on service stop. So, stopping redis-server removes redis-sentinel.pid as well. Using a systemd-tempfile is a more robust approach. We are also removing ExecStartPre lines since directory creation is handled in a different level. Thanks to Christos Trochalakis <yatiohi@ideopolis.gr>. (Closes: #793016) redis (2:3.0.3-1) unstable; urgency=medium * New upstream release. redis (2:3.0.2-3) unstable; urgency=medium * Add some missing tools: - ./utils/lru/ - ./src/redis-trib.rb - Don't compress redis-trib.rb - Add ruby-redis to Suggests. redis (2:3.0.2-2) unstable; urgency=medium * Create /var/run/redis with the correct permissions in systemd .service files. Thanks to Sebastian Lipponer <mail@sebastianlipponer.de>. (Closes: #787257) * Install Bash completions to /usr/share/bash-completion/completions instead of /etc/bash_completion.d (see #787257). redis (2:3.0.2-1) unstable; urgency=medium * New upstream release. redis (2:3.0.1-1) unstable; urgency=medium * New upstream release. redis (2:3.0.0-2) unstable; urgency=medium * redis-server was not able to start under systemd with default redis.conf due to the absence of /var/run/redis; when RuntimeDirectory is specified in *.service file, systemd creates the directory in /var/run and sets the correct permissions. Thanks to Mikhael A <spir@spir.ru>. redis (2:3.0.0-1) unstable; urgency=medium * New upstream stable release. redis (2:3.0.0~rc6-2) unstable; urgency=medium * Don't make test failures cause a build failure - known timing issues upstream. redis (2:3.0.0~rc6-1) unstable; urgency=medium * New upstream RC release. redis (2:3.0.0~rc5-2) unstable; urgency=medium * Upload to unstable. redis (2:3.0.0~rc5-1) experimental; urgency=medium * New upstream RC release. * wrap-and-sort entries. * Tidy debian/rules. * Move to debhelper compatibility level 9. * Don't run tests if nocheck specified. * Update debian/copyright. redis (2:3.0.0~rc4-1) experimental; urgency=medium * New upstream RC release. * wrap-and-sort. * Use the latest debian/changelog date in 05-reproducible-build.diff. redis (2:3.0.0~rc3-1) experimental; urgency=medium * New upstream RC release. redis (2:3.0.0~rc2-2) experimental; urgency=medium * Add Build-Depends on `tcl` for tests. * Add the following run-parts(8) directories that are be executed at the appropriate daemon start and stop actions: - /etc/redis/redis-server.pre-up.d - /etc/redis/redis-server.pre-down.d - /etc/redis/redis-server.post-up.d - /etc/redis/redis-server.post-down.d - /etc/redis/redis-sentinel.pre-up.d - /etc/redis/redis-sentinel.pre-down.d - /etc/redis/redis-sentinel.post-up.d - /etc/redis/redis-sentinel.post-down.d This is useful for loading Lua scripts which are not persisted across restarts. Scripts should be idempotent so that multiple calls to (eg.) "/etc/init.d/redis-server start" do not result in unintended consequences. * Also run Redis Sentinel tests. redis (2:3.0.0~rc2-1) experimental; urgency=low * New upstream RC release. - Sync debian/redis.conf. * Renable testsuite. * Add --oknodo to initscript "start" action to ensure correct return code if is already running. * Split redis-sentinel into its own package (Closes: #775414) - Move /usr/bin/redis-sentinel symlink to new package. - Fork ./sentinel.conf -> debian/sentinel.conf for own changes. - Add logrotate stanza. - Override permissions of /etc/redis/sentinel.conf with dpkg-statoverride - needs to be writable by Sentinel itself. redis (2:2.8.19-3) unstable; urgency=medium * Add DEP-8 smoke test. redis (2:2.8.19-2) unstable; urgency=low * Re-enable testsuite. - Add tcl to Build-Depends. * Add --oknodo to initscript "start" action to ensure correct return code if is already running. * Use the latest debian/changelog date in 05-reproducible-build.diff. redis (2:2.8.19-1) unstable; urgency=medium * New upstream release. redis (2:2.8.18-1) unstable; urgency=low * New upstream release. - Sync debian/redis.conf. * Attempt to make build reproducible by dropping timestamp/uname name from release.h. * Bump Standards-Version to 3.9.6. redis (2:2.8.17-1) unstable; urgency=medium * New upstream release. redis (2:2.8.14-1) unstable; urgency=low * New upstream release. * Guillaume Delacour: - Use dpkg-buildflags CFLAGS, CPPFLAGS (patch upstream Makefile) and LDFLAGS, also use pie and relro via DEB_BUILD_MAINT_OPTIONS - Call make V=1 to show gcc command lines (blhc) and enable parallel build * Sync debian/redis.conf and redis.conf. * Refresh 02-fix-ftbfs-on-kfreebsd patch. redis (2:2.8.13-3) unstable; urgency=low * Correct permissions of our /var directories by chowning them recursively. This is necessary, at least temporarily, as systemd users were previously running the daemon as root causing the files in those dirs to be owned by that user. We could be clever and only chown files owned by root to accomodate users who are not running as redis:redis but I think that's overkill. (Closes: #756709) redis (2:2.8.13-2) unstable; urgency=low * Under systemd, run under redis:redis. (Closes: #756621) redis (2:2.8.13-1) unstable; urgency=low * New upstream release. * Synchronise ./debian/redis.conf with ./redis.conf. * Update 03-use-system-jemalloc.diff. * Fix FTBFS under kfreebsd (Closes: #754634) redis (2:2.8.12-1) unstable; urgency=low * New upstream release. - Synchronise ./debian/redis.conf with ./redis.conf. redis (2:2.8.11-1) unstable; urgency=low * New upstream release. - Synchronise ./debian/redis.conf with ./redis.conf. * Drop copytruncate from logrotate stanza. * Prefer status_of_proc over `start-stop-daemon --stop --signal 0 ...` (Closes: #751839) redis (2:2.8.8-2) unstable; urgency=low * Add systemd support. Thanks to Wasif Malik <wmalik.ml@gmail.com>. (Closes: #743750) redis (2:2.8.8-1) unstable; urgency=low * New upstream release. - Sync debian/redis.conf and redis.conf. redis (2:2.8.7-2) unstable; urgency=low * Revamp maintainer scripts. (Closes: #741216) redis (2:2.8.7-1) unstable; urgency=low * New upstream release. redis (2:2.8.6-1) unstable; urgency=medium * New upstream release. redis (2:2.8.5-1) unstable; urgency=low * New upstream release. * Update debian/redis.conf to include new tcp-backlog option. redis (2:2.8.4-2) unstable; urgency=low * Symlink redis-sentinel to redis-server as it's the same binary. * Install sentinel.conf. redis (2:2.8.4-1) unstable; urgency=low * New upstream version. * Sync debian/redis.conf. * Also ship redis-sentinel (Closes: #735272) redis (2:2.8.2-1) unstable; urgency=low * New upstream version. redis (2:2.8.0-1) unstable; urgency=low * New upstream release. - Update debian/patches/02-fix-ftbfs-on-kfreebsd. - Update debian/patches/03-use-system-jemalloc.diff. - Update debian/redis.conf * Bump Standards-Version to 3.9.4. redis (2:2.6.16-3) unstable; urgency=low * Add missing Replaces and Breaks to redis-tools. Thanks to Andreas Beckmann (anbe). (Closes: #723703) redis (2:2.6.16-2) unstable; urgency=low * Completely rework and refresh debian/copyright. (Closes: #723162) * Update website in debian/copyright. * Drop client library references from debian/copyright (dropped in 2:1.1.90~beta-1). * Update main copyright year. redis (2:2.6.16-1) unstable; urgency=low * New upstream release. * Split non-server binaries into redis-tools package. (Closes: #723006) * Update debian/watch. redis (2:2.6.14-2) unstable; urgency=low * Source /lib/lsb/init-functions in initscript for systemd compatibility. redis (2:2.6.14-1) unstable; urgency=low * New upstream release. redis (2:2.6.13-1) unstable; urgency=low * New upstream release. - Sync debian/redis.conf. - Update 02-fix-ftbfs-on-kfreebsd.diff. redis (2:2.6.7-1) unstable; urgency=low * New upstream release. * Add missing "status" command from usage. Thanks to Dererk <dererk@debian.org>. (Closes: #696339) * Enable building on kfreebsd-amd64 (and possibly kfreebsd-i386 and hurd-i386) by not depending on 'jemalloc' which would not be used anyway. Thanks to Jeff Epler <jepler@unpythonic.net>. (Closes: #696618) redis (2:2.6.0-1) unstable; urgency=low * New upstream release. * Update 02-fix-ftbfs-on-kfreebsd.diff. * Update 03-use-system-jemalloc.diff. * Update configuration file. redis (2:2.4.17-1) unstable; urgency=low * New upstream release. * Bump Standards-Version to 3.9.3. redis (2:2.4.15-1) unstable; urgency=low * New upstream release. redis (2:2.4.14-1) unstable; urgency=low * New upstream release. redis (2:2.4.13-1) unstable; urgency=low * New upstream release. (Closes: #673202) * Sync upstream redis.conf changes with debian/redis.conf. redis (2:2.4.9-2) unstable; urgency=low * Add /etc/default/redis-server option to call ``ulimit -n'' before invoking Redis. (Closes: #672638) redis (2:2.4.9-1) unstable; urgency=low * New upstream release. redis (2:2.4.8-1) unstable; urgency=low * New upstream release. * Fix debian/watch (Closes: #661919) * Don't use jemalloc on archs not supporting it (Closes: #661354) redis (2:2.4.5-1) unstable; urgency=low * New upstream version (Closes: #655416) * Use system jemalloc. (Closes: #654900, #654902) redis (2:2.4.2-2) unstable; urgency=low * Fix test suite on sparc (Closes: #647627) redis (2:2.4.2-1) unstable; urgency=low * New upstream release. * /etc/init.d/redis-server fixes: - Send TERM, not QUIT signal. - Sleep 1 second after exiting as although the process has disappeared the server socket is somehow still in use which causes the start to fail. * Drop 01-fix-link-ordering patch; fixed upstream. <http://code.google.com/p/redis/issues/detail?id=562>. * Update 02-fix-ftbfs-on-kfreebsd. * Drop redis-doc package now that upstream no longer ship documentation. redis (2:2.4.0~rc5-1) experimental; urgency=low * New upstream RC release. * Update debian/redis.conf. * Drop documentation package - dropped upstream. redis (2:2.2.12-1) unstable; urgency=low * New upstream release. * Move runtime files to /var/run/redis/ and set that as default location for socket file. Thanks to Sandro Tosi <morph@debian.org>. (Closes: #632931) * Refresh fix-link-ordering patch. * Use "defined(__linux__) || defined(__GLIBC__)" for kfreebsd compatibility. Thanks to Robert Millan <rmh@debian.org>. (Closes: #632499) redis (2:2.2.11-3) unstable; urgency=low * Change default loglevel to "notice". * Wait forever for redis to stop - only waiting 10 seconds could cause data loss. * Set a proper default location for socket file. (Closes: #632931) redis (2:2.2.11-2) unstable; urgency=low * Fix FTBFS on kfreebsd. Thanks to Christoph Egger <christoph@debian.org> for the patch. (Closes: #632499) * Ship redis-check-aof and redis-check-dump. (Closes: #632858) redis (2:2.2.11-1) unstable; urgency=low * New upstream release. * Correct spelling of "Description" in patch system. redis (2:2.2.10-1) unstable; urgency=low * New upstream release. * Bump Standards-Version to 3.9.2. redis (2:2.2.8-1) unstable; urgency=low * New upstream release. * Add patch from Ubuntu to fix FTBFS due to --as-needed linking. Thanks to Nigel Babu <nigelbabu@ubuntu.com>. (Closes: #628056) redis (2:2.2.5-1) unstable; urgency=low * New upstream release. redis (2:2.2.4-1) unstable; urgency=low * New upstream release. redis (2:2.2.2-1) unstable; urgency=low * New upstream release. * Use userdel over deluser to prevent problems when purging package. (Closes: #618326) redis (2:2.2.1-1) unstable; urgency=low * New upstream release. (Closes: #604076) * Update install paths. redis (2:2.0.1-2) unstable; urgency=low * Upload to unstable. redis (2:2.0.1-1) experimental; urgency=low * New upstream release. * Update debian/watch to not match old tarballs. * Upstream now ships an install target; let's just ignore it for now. redis (2:2.0.0~rc4-1) experimental; urgency=low * New upstream RC release. * Bump Standards-Version to 3.9.1. * Remove mkreleasehdr.sh when building to avoid debian diff - it will regenerate release.h with different contents. redis (2:2.0.0~rc3-1) experimental; urgency=low * New upstream RC release. * Bump Standards-Version to 3.9.0. redis (2:2.0.0~rc2-1) experimental; urgency=low * New upstream RC release. redis (2:2.0.0~rc1-2) experimental; urgency=low * Add 'status' command to initscript. * Add redis-benchmark (and manpage) to package. (Closes: #587395) redis (2:2.0.0~rc1-1) experimental; urgency=low * New upstream release candidate. * Remove '01-dont-print-pid-on-startup.diff' patch. * Update local copy of redis.conf. redis (2:1.2.6-1) unstable; urgency=low * New upstream release. redis (2:1.2.5-1) unstable; urgency=low * New upstream release. * Drop 02-fix-segfault-indupClientReplyValue.diff; applied upstream via <http://code.google.com/p/redis/issues/detail?id=177>. redis (2:1.2.4-1) unstable; urgency=low * New upstream release. redis (2:1.2.3-1) unstable; urgency=low * New upstream release. redis (2:1.2.2-2) unstable; urgency=low * Really fix segfault in dupClientReplyValue. (Closes: #570371) redis (2:1.2.2-1) unstable; urgency=low * New upstream release. - Fixes segfault in dupClientReplyValue. Thanks to Hirling Endre <endre@dawn.royalcomp.hu> (Closes: #570371) redis (2:1.2.1-1) unstable; urgency=low * New upstream release. * Add Bash completion script for redis-cli by Steve Kemp <skx@debian.org>. (Closes: #565358) * Bump Standards-Version to 3.8.4. * Add $remote_fs to LSB "Required-{Start,Stop}" initscript headers. redis (2:1.2.0-1) unstable; urgency=low * New upstream stable release. * Switch to dpkg-source 3.0 (quilt) format. * Patch out printing of pid on startup. redis (2:1.1.95~beta-2) unstable; urgency=low * Set source section to "database" from "misc". * Add redis-cli binary to "redis-server" package. redis (2:1.1.95~beta-1) unstable; urgency=low * New upstream release. * Sync debian/redis.conf with upstream version (new "rdbcompression" and "masterauth" commands). redis (2:1.1.90~beta-1) unstable; urgency=low * New upstream release: - Bump the epoch as dpkg considers 1.1.90 to be less than 1.02. - Sync redis.conf * Don't build client libraries anymore; not part of the upstream tarball anymore. * Don't export CFLAGS from debian/rules to prevent FTBFS when dpkg-provided CFLAGS does not include --std=c99. * Modify debian/watch to consider "-beta" the same as "~beta" for correct dpkg ordering. redis (1:1.02-1) unstable; urgency=low * New upstream release. redis (1:1.01-1) unstable; urgency=low * New upstream release. - "maxmemory now works well on 64bit systems with > 4GB of RAM" redis (1:1.0-1) unstable; urgency=low * New upstream release. * Bump Standards-Version to 3.8.3. * Drop patch system: - 01-recommend-sysctl-conf.diff; applied upstream. - 02-warn-after-daemonising.diff; applied upstream. - 03-only-mangle-trace-on-ia64-and-x86.diff; applied upstream. - Drop quilt Build-Depends and remove patches/series. * Use "override_dh_auto_clean" instead of "clean" target. redis (1:0.900-3) unstable; urgency=low * Actually add architecture patch introducted in 1:0.900-2 to quilt 'series' (Closes: #533763) * Correct "/proc/sys/vm/overcommit_memory" message to print the correct string to add to sysctl.conf. redis (1:0.900-2) unstable; urgency=low * Add patch to avoid mangling the stacktrace on SIGSEGV using X86-specific ucontext struct, etc. (Closes: #533763) * Bump Standards-Version to 3.8.2. redis (1:0.900-1) unstable; urgency=low * New upstream release. - Update debian/redis.conf * Update versionmangle in debian/watch. * "/proc/sys/vm/overcommit_memory" message: - Recommend modifying /etc/sysctl.conf instead of using "boot scripts" - Warn after daemonising to avoid message being spammed on every boot. redis (1:0.100-1) unstable; urgency=low * New upstream release. - Update debian/redis.conf redis (1:0.096-1) unstable; urgency=low * New upstream version. redis (1:0.095-1) unstable; urgency=low * New upstream version. redis (1:0.094-3) unstable; urgency=low * Really upload to unstable - I give "debchange -r" less credit than it deserves. redis (1:0.094-2) experimental; urgency=low * Upload to unstable. * Add libredis-perl package. redis (1:0.094-1) experimental; urgency=low * New upstream release. * Place libphp-redis package into 'php' section. * Update debian/copyright with new libraries. * Correct Vcs-Browser location. redis (1.0~beta8-1) experimental; urgency=low * New upstream release. redis (1.0~beta7-1) experimental; urgency=low * Initial release. (Closes: #518700)

Update CONFLICTS. <ChangeLog> Redis 4.0.10 fixes a number of important issues: * Important security issues related to the Lua scripting engine. Please check redis/redis#5017 for more information. * A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements. We also add a regression test that can trigger the issue often when present, and may in theory be able to find unrelated regressions. * A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files because otherwise it is no longer possible to use such RDB file as a base for partial resynchronization. It no longer represents the right state. * Compatibility of AOF with RDB preamble when the RDB checksum is disabled. * Sentinel bug that in some cases prevented Sentinel to detect that the master was down immediately. A delay was added to the detection. * Other minor issues. </ChangeLog>

antirez closed this as completed Jun 13, 2018

antirez changed the title ~~Placeholder~~ Redis Lua scripting: multiple security issues Jun 13, 2018

hydrapolic mentioned this issue Jun 16, 2018

dev-db/redis: bump to 4.0.10 gentoo/gentoo#8861

Closed

wodev mentioned this issue Aug 17, 2018

redis 4.0.11 fink/fink-distributions#230

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Redis Lua scripting: multiple security issues #5017

Redis Lua scripting: multiple security issues #5017

antirez commented Jun 13, 2018 •

edited

carlwgeorge commented Jun 13, 2018

antirez commented Jun 13, 2018

lamby commented Jun 14, 2018

antirez commented Jun 14, 2018

antirez commented Jun 14, 2018

lamby commented Jun 14, 2018

carlwgeorge commented Jun 14, 2018

natoscott commented Jun 14, 2018

antirez commented Jun 14, 2018

xiaoaoqiankun commented May 12, 2022

Redis Lua scripting: multiple security issues #5017

Redis Lua scripting: multiple security issues #5017

Comments

antirez commented Jun 13, 2018 • edited

carlwgeorge commented Jun 13, 2018

antirez commented Jun 13, 2018

lamby commented Jun 14, 2018

antirez commented Jun 14, 2018

antirez commented Jun 14, 2018

lamby commented Jun 14, 2018

carlwgeorge commented Jun 14, 2018

natoscott commented Jun 14, 2018

antirez commented Jun 14, 2018

xiaoaoqiankun commented May 12, 2022

antirez commented Jun 13, 2018 •

edited