ESB-2018.1869 - [Debian] redis: Multiple vulnerabilities 2018-06-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1869
                Security update for redis comes to Debian 8
                               27 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           redis
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Existing Account            
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12326 CVE-2018-11219 CVE-2018-11218

Reference:         ESB-2018.1850
                   ESB-2018.1779

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/06/msg00003.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : redis
Version        : 2:2.8.17-1+deb8u6
CVE IDs        : CVE-2018-11218, CVE-2018-11219, CVE-2018-12326
Debian Bugs    : #901495, #902410

It was discovered that there were a number of vulnerabilities in redis,
a persistent key-value database:

  * CVE-2018-11218, CVE-2018-11219: Multiple heap
    corruption and integer overflow vulnerabilities. (#901495)

  * CVE-2018-12326: Buffer overflow in the "redis-cli" tool which could
    have allowed an attacker to achieve code execution and/or escalate to
    higher privileges via a crafted command line. (#902410)

For Debian 8 "Jessie", these issues have been fixed in redis version
2:2.8.17-1+deb8u6.

We recommend that you upgrade your redis packages.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlsyXmMACgkQHpU+J9Qx
HlhQcw/+OjWmtgY+7YwyUfmK02qmx/4xmt6xhzX4Lxh7cPMn6J8VUkz4pAUYnQnV
12nhOR2Ts0dAchRet2GLqJ/3unLahUZRWYgbl20XRswmOHobAaxELRn+o2J/T3m9
4swLrY2PtnAQ7zZWuK1/ePiWALn5F06ITpjG2f+UNCa3L7aYn6VExgeKVIgk8LuX
Fq3zUHNQPQjb924frZ/kn0+iUDpPwGHCkDtzWtltNBgsFSM0FVbTh6MJfXrsagT6
d+jKKrc+gDGb2WZiq7VANQ4Wx1DxFA3HBcLobjOBB/I4Zq3XRmMXTuibvRHv2xqk
HwUKSy87CByEn76HuHZfo9hmtX1RB2lqpq4KQ87I4E0dBKtIEyBFjSv7Mr/NOP7Q
/FUFZegHWM9WomFbqjbe2Ga18KRV7KFQAiN2iE5QyRVUgI1YK8K7z2KbAiGBcdsU
uV6dZonuRwxWj0mz3A3HYMaIuP/u+KMdPpVpGmuq4cqA6VozeWbSelasK9zEaZah
E94HA+aDiVfNCceTCq69uPZlJKHCDDb3OLbAv+BeDT2+GkNCdZ64GdTCxOw9BCMy
S+0m+/sxcZBHjD2WNyfK20Z3++ZL3mMb47yENE8wB0OOf8ZItxTANUcZYL8rvsC5
hB34DVoEkrGJWF7d7fKgEbZRV/gZB5IZNBmPqNkxVgbteULnJcE=
=19rh
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzMLGWaOgq3Tt24GAQj5cQ/+I3FnST5BxJ85MCxTTXQ/GbFSzu/iGM+7
BydxnQZyhQLHjGnXQWlyso/ouH+f4UEhFY2sMub2P68s1a5dqG8+q332oKrSqVXE
mmjbCe3olIccslNMfXitSviskLWXBb6bTJAv3aK2Ba3pecI4KW0iNPNuDH63Kcvl
78OsoXVH+HCWJqEQvMjiejhOSNAgzDJI+1GisCdMUqqDt63RQGtnNWxC+qvrM2ta
g6Fq7fhqarAEoOBJms7QPmFa5TTbl7hKTE35rufXxdXRSsbCMVgwyxvrWrsBFHXa
02VQ9tMlKtdNIB/GA7C0iGpzI3sXM+iS5I4fCUEXHPA9D2GVGAOGlvuPMTsRJN54
S5wxN/tux/WtYf14d/8/RaIioFovw0E3KGOjNmpkB2YZ5hAjGRwdXse5ywtmWiGc
lORL9gWwPLuqA8c7KTgQuyrAhcNUrud98dIiPS5WZV8AeoKka1+DPT4bBON31xSn
tdmIS+wezOxu2lquBC172Ah9JjL0Wz0ew+zRjfqLRPHD6IVtqateXBKQ/Vh3UpEJ
LQj/fkdm0S0fRdPu1qUUFry2wl3Xyp58kJOXkpcrDq2CG2t3jvGh6k/zCzG+17NM
e326bA8CHdf84N8h8DHN5iGd9pLzEXi4ZX+Ms/msRFuxOOWv8JjHZL3wSgOzGjgx
SLtRw7gEBCY=
=Bx+R
-----END PGP SIGNATURE-----

« Back to bulletins