Greetings, CERT/CC is notifying you of vulnerabilities (CVE-2018-11218, and CVE-2018-11219) impacting Redis which are planned to be publicly disclosed this week on Wednesday June 13th. You may already have received information on these vulnerabilities from the Redis developer, Salvatore Sanfilippo, and if so you may ignore this message. CVE-2018-11218 is a heap corruption vulnerability in cmsgpack CVE-2018-11219 is an integer overflow Patch information is available in a private GIST: https://gist.github.com/antirez/149e6d291046298814ae4a941cae6e87 CERT/CC does not intend to publish an additional vulnerability note at this time. Regards, Vulnerability Analysis Team ====================================================================== CERT Coordination Center www.cert.org / cert@cert.org ## robbat2 has acked receipt of report by email, but is travelling, maybe you can have a look at it when it goes public ultrabug? ======================================================================
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e499a85adc09194818908fee15698924f54f7d3 commit 3e499a85adc09194818908fee15698924f54f7d3 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-06-17 21:10:10 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-06-17 21:12:36 +0000 dev-db/redis: bump to v3.2.12 Bug: https://bugs.gentoo.org/658066 Package-Manager: Portage-2.3.40, Repoman-2.3.9 dev-db/redis/Manifest | 1 + dev-db/redis/redis-3.2.12.ebuild | 131 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 132 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c552b81ac63dd4a200c381c2b62f1cfb3e8e91ba commit c552b81ac63dd4a200c381c2b62f1cfb3e8e91ba Author: Tomas Mozes <tmozes@sygic.com> AuthorDate: 2018-06-16 20:53:43 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-06-17 21:12:34 +0000 dev-db/redis: bump to 4.0.10 Closes: https://github.com/gentoo/gentoo/pull/8861 Bug: https://bugs.gentoo.org/658066 dev-db/redis/Manifest | 1 + dev-db/redis/redis-4.0.10.ebuild | 141 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 142 insertions(+)
x86 stable
amd64 stable
Still affected by bug 649556. But as it's a security stabilization again -- reluctantly stable on arm64...
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b792beaa5636e08180acaeda3ea4c0181c6b5307 commit b792beaa5636e08180acaeda3ea4c0181c6b5307 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 20:01:01 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 20:21:04 +0000 dev-db/redis: stable 4.0.10 for ppc64, bug #658066 Bug: https://bugs.gentoo.org/658066 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" dev-db/redis/redis-4.0.10.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35a53ca45a86c718912b52738b47a2f565b5490f commit 35a53ca45a86c718912b52738b47a2f565b5490f Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 20:00:56 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 20:21:04 +0000 dev-db/redis: stable 3.2.12 for ppc64, bug #658066 Bug: https://bugs.gentoo.org/658066 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" dev-db/redis/redis-3.2.12.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
arm stable
@arches, ping
dropping STABLEREQ in favor of bug #689700
This issue was resolved and addressed in GLSA 201908-04 at https://security.gentoo.org/glsa/201908-04 by GLSA coordinator Aaron Bauman (b-man).