USN-7321-1: Redis vulnerabilities

Releases

• Ubuntu 24.10
• Ubuntu 24.04 LTS
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM
• Ubuntu 14.04 ESM

Packages

• redis - Persistent key-value database with network interface

Details

It was discovered that Redis incorrectly handled certain memory operations
during pattern matching. An attacker could possibly use this issue to cause
a denial of service. (CVE-2024-31228)

It was discovered that Redis incorrectly handled certain specially crafted
Lua scripts. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. (CVE-2024-46981)

It was discovered that Redis incorrectly handled some malformed ACL
selectors. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 24.10 and Ubuntu 24.04 LTS.
(CVE-2024-51741)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 24.10

• redis-server - 5:7.0.15-1ubuntu0.24.10.1
• redis-tools - 5:7.0.15-1ubuntu0.24.10.1

Ubuntu 24.04

• redis-server - 5:7.0.15-1ubuntu0.24.04.1
• redis-tools - 5:7.0.15-1ubuntu0.24.04.1

Ubuntu 22.04

• redis-server - 5:6.0.16-1ubuntu1+esm2
  Available with Ubuntu Pro
• redis-tools - 5:6.0.16-1ubuntu1+esm2
  Available with Ubuntu Pro

Ubuntu 20.04

• redis-server - 5:5.0.7-2ubuntu0.1+esm3
  Available with Ubuntu Pro
• redis-tools - 5:5.0.7-2ubuntu0.1+esm3
  Available with Ubuntu Pro

Ubuntu 18.04

• redis-server - 5:4.0.9-1ubuntu0.2+esm5
  Available with Ubuntu Pro
• redis-tools - 5:4.0.9-1ubuntu0.2+esm5
  Available with Ubuntu Pro

Ubuntu 16.04

• redis-server - 2:3.0.6-1ubuntu0.4+esm3
  Available with Ubuntu Pro
• redis-tools - 2:3.0.6-1ubuntu0.4+esm3
  Available with Ubuntu Pro

Ubuntu 14.04

• redis-server - 2:2.8.4-2ubuntu0.2+esm4
• redis-tools - 2:2.8.4-2ubuntu0.2+esm4

In general, a standard system update will make all the necessary changes.

References

• CVE-2024-46981
• CVE-2024-51741
• CVE-2024-31228