1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL.RELEAS

  • Situation for redis for bookworm?

    From Salvatore Bonaccorso@21:1/5 to All on Sun Mar 26 14:00:01 2023
    Hi Chris,

    I'm trying to clarify some packages which have security-fixes which
    did not yet land in bookworm.

    redis is on the radar for that, recent uploads for unstable did fix
    some (arguably no-dsa) CVEs. Redis is though not able to migrate to
    testing. Can you have a look and if the testing regressions are fase
    positives or to be ignore fill a unblock request for the release team?

    https://qa.debian.org/excuses.php?package=redis mentios that ther are autopkgtest regression for python-channels-redis.

    As it is furthermore a key package is needs to be asked explicilty for
    an unblock.

    CVEs fixed in unstable but not yet in bookworm cover CVE-2022-35977, CVE-2022-36021, CVE-2023-22458 and CVE-2023-25155.

    Would be great to have redis situation addresses before bookworm
    release.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Gevers@21:1/5 to Chris Lamb on Sun Mar 26 14:30:01 2023
    To: team@security.debian.org
    To: debian-release@lists.debian.org

    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------8xH2qxmcRF8Z6Kx0YLUesf0s
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

    SGkgU2FsdmF0b3JlLA0KDQpPbiAyNi0wMy0yMDIzIDEzOjU3LCBTYWx2YXRvcmUgQm9uYWNj b3JzbyB3cm90ZToNCj4gcmVkaXMgaXMgb24gdGhlIHJhZGFyIGZvciB0aGF0LCByZWNlbnQg dXBsb2FkcyBmb3IgdW5zdGFibGUgZGlkIGZpeA0KPiBzb21lIChhcmd1YWJseSBuby1kc2Ep IENWRXMuIFJlZGlzIGlzIHRob3VnaCBub3QgYWJsZSB0byBtaWdyYXRlIHRvDQo+IHRlc3Rp bmcuIENhbiB5b3UgaGF2ZSBhIGxvb2sgYW5kIGlmIHRoZSB0ZXN0aW5nIHJlZ3Jlc3Npb25z IGFyZSBmYXNlDQo+IHBvc2l0aXZlcyBvciB0byBiZSBpZ25vcmUgZmlsbCBhIHVuYmxvY2sg cmVxdWVzdCBmb3IgdGhlIHJlbGVhc2UgdGVhbT8NCg0KQ2hyaXMgYWxyZWFkeSBkaWQgaW4g YnVnIDEwMzA2MDAsIGUuZy4gDQpodHRwczovL2J1Z3MuZGViaWFuLm9yZy9jZ2ktYmluL2J1 Z3JlcG9ydC5jZ2k/YnVnPTEwMzA2MDAjMzAuIEkgc2VlIA0KcmVkaXMgaGFkIGFub3RoZXIg dXBsb2FkLCB3aGljaCBhcHBhcmVudGx5IGRvZXNuJ3QgdHJpZ2dlciB0aGUgDQphdXRvcGtn dGVzdCBmYWlsdXJlIGluIHB5dGhvbi1mYWtlcmVkaXMuDQoNCk1pZ2h0IGJlIHdvcnRoIHVu YmxvY2tpbmcgdGhpcyB2ZXJzaW9uIG9mIHJlZGlzIGlmIGFsbCB1cHN0cmVhbSB1cGxvYWRz IA0KY2FuIGJlIGp1c3RpZmllZC4NCg0KUGF1bA0K

    --------------8xH2qxmcRF8Z6Kx0YLUesf0s--

    -----BEGIN PGP SIGNATURE-----

    wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmQgObEFAwAAAAAACgkQnFyZ6wW9dQrf 1Qf5AbJ4ioDa/0Xb/OgEKXk/U6FBMkz4s1+j8Q1e7S5C3Z2kEtO+Bx7fn9QA6NeKmUXfzvBayAxT elFSFih5SlgdaYVGAOVtGlY9DyX48dd8YMzB3Ee3Pifdb458bM23XRNl5b1xE2ptfsHb6Zz70Jk0 Uo22m2EEIQVTGS81WkiafI26jCoCADB4Ak9gXiuNqDXg5WWlyNOsJ93+yGYr48TPu0fgFLax8n3e eSPF5+0FnxYcSrxmHWpqk1naqdBiwX5il0L9ekUt1P1GR0uyeFzwdVzBkrko8dAKnO3hyFgvIsh5 BzWr/K9YNFGATJQLaWgRlYoC+gXd9VXw87W86Ioi+g==
    =RAn+
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Paul Gevers on Tue Mar 28 21:00:01 2023
    Hi Paul,

    On Sun, Mar 26, 2023 at 02:25:21PM +0200, Paul Gevers wrote:
    Hi Salvatore,

    On 26-03-2023 13:57, Salvatore Bonaccorso wrote:
    redis is on the radar for that, recent uploads for unstable did fix
    some (arguably no-dsa) CVEs. Redis is though not able to migrate to testing. Can you have a look and if the testing regressions are fase positives or to be ignore fill a unblock request for the release team?

    Chris already did in bug 1030600, e.g. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030600#30. I see redis
    had another upload, which apparently doesn't trigger the autopkgtest failure in python-fakeredis.

    Apologies that I did not notice.

    Might be worth unblocking this version of redis if all upstream uploads can be justified.

    The new version does not have any further regressions, as per https://qa.debian.org/excuses.php?package=redis . So I think that
    would be welcome to resolve all the CVEs still affecting bookworm.

    Chris, what is your take on it?

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Lamb@21:1/5 to All on Wed Mar 29 02:10:01 2023
    Dear all,

    The new version does not have any further regressions, as per https://qa.debian.org/excuses.php?package=redis. So I think that
    would be welcome to resolve all the CVEs still affecting bookworm.

    Chris, what is your take on it?

    Sorry for the delay in replying; some other things ate all my
    bandwidth for considered thought in the last week or so.

    To cut a long story short: yes, I agree that the ideal solution is to
    unblock 5:7.0.10-1 (ie. the version currently in unstable) for
    bookworm and release bookworm with that.

    My gut feeling is that the 7.0.x branch will receive upstream-blessed
    patches for security fixes for a little while. This would hopefully
    make future DSAs relatively straightforward. (I doubt it will receive
    specific updates for the entirety of the bookworm release, alas, but
    that's out of our control). Either way, it makes sense to release with
    the latest version of the 7.0.x branch.

    Salvatore, do you wish to request an unblock here (ie. of 5:7.0.10-1
    in sid to override 5:7.0.7-1 in bookworm) or shall I? (Would it have
    more weight if you did it?)


    Regards,

    --
    ,''`.
    : :' : Chris Lamb
    `. `'` lamby@debian.org 🍥 chris-lamb.co.uk
    `-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Chris Lamb on Wed Mar 29 11:10:01 2023
    Hi Chris,

    On Wed, Mar 29, 2023 at 01:00:20AM +0100, Chris Lamb wrote:
    Dear all,

    The new version does not have any further regressions, as per https://qa.debian.org/excuses.php?package=redis. So I think that
    would be welcome to resolve all the CVEs still affecting bookworm.

    Chris, what is your take on it?

    Sorry for the delay in replying; some other things ate all my
    bandwidth for considered thought in the last week or so.

    No worries, we still have some time for bookworm.

    To cut a long story short: yes, I agree that the ideal solution is to
    unblock 5:7.0.10-1 (ie. the version currently in unstable) for
    bookworm and release bookworm with that.

    Thanks for confirming!

    My gut feeling is that the 7.0.x branch will receive upstream-blessed
    patches for security fixes for a little while. This would hopefully
    make future DSAs relatively straightforward. (I doubt it will receive specific updates for the entirety of the bookworm release, alas, but
    that's out of our control). Either way, it makes sense to release with
    the latest version of the 7.0.x branch.

    Salvatore, do you wish to request an unblock here (ie. of 5:7.0.10-1
    in sid to override 5:7.0.7-1 in bookworm) or shall I? (Would it have
    more weight if you did it?)

    I do not think I have any special weight more on doing it ;-). If you
    can ask with a bugreport for an unblock that would be great, thank you
    Chris.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Lamb@21:1/5 to Salvatore Bonaccorso on Thu Mar 30 00:40:01 2023
    Salvatore Bonaccorso wrote:

    I do not think I have any special weight more on doing it ;-). If you
    can ask with a bugreport for an unblock that would be great, thank you
    Chris.

    Unblock request filed as #1033677.


    Regards,

    --
    ,''`.
    : :' : Chris Lamb
    `. `'` lamby@debian.org 🍥 chris-lamb.co.uk
    `-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)