Bug 28452

Summary: redis new security issue CVE-2021-21309
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-32-OK
Source RPM: redis-6.0.9-1.mga8.src.rpm CVE: CVE-2021-21309
Status comment:
Bug Depends on:    
Bug Blocks: 28492    

Description David Walser 2021-02-26 18:15:27 CET 
Debian-LTS has issued an advisory on February 25:
https://www.debian.org/lts/security/2021/dla-2576

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-26 18:15:40 CET

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Patch available from Debian

Comment 1 Lewis Smith 2021-02-27 09:31:33 CET 
Assigning to Stig as the active maintainer of 'redis'.

Assignee: bugsquad => smelror

Nicolas Lécureuil 2021-02-28 21:54:34 CET

Blocks: (none) => 28492

Comment 2 Nicolas Lécureuil 2021-02-28 21:56:10 CET 
fixed in cauldron.

I cloned the bugreport for mga7.

Fixed for mga8:
       -  redis-6.0.11-1.mga8

Whiteboard: MGA8TOO, MGA7TOO => (none)
Version: Cauldron => 8
CC: (none) => mageia
Assignee: smelror => qa-bugs

David Walser 2021-03-01 17:49:57 CET

Status comment: Patch available from Debian => (none)

Comment 3 David Walser 2021-03-03 02:03:50 CET 
Advisory:
========================

Updated redis packages fix security vulnerability:

It was discovered that there were a number of integer overflow issues in Redis.
It is currently believed that the issues only affect 32-bit based systems
(CVE-2021-21309).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21309
https://www.debian.org/lts/security/2021/dla-2576
Comment 4 Thomas Andrews 2021-03-24 23:07:57 CET 
Testing this on 32-bit hardware because of the advisory.

Installed redis and dependency on a 32-bit mga8 Xfce4 system, then used qarepo to get the update. No installation issues. 

Referenced Bug 24042 for testing procedure:

$ su
Password: 
# systemctl start redis.service
# exit
exit
$ systemctl status redis.service
<font color="#55FF55"><b>●</b></font> redis.service - Redis persistent key-value database
     Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; vendor pr<span style="background-color:#FFFFFF"><font color="#000000">&gt;</font></span>
    Drop-In: /usr/lib/systemd/system/redis.service.d
             └─limit.conf
     Active: <font color="#55FF55"><b>active (running)</b></font> since Wed 2021-03-24 17:53:06 EDT; 59s ago
   Main PID: 9829 (redis-server)
      Tasks: 5 (limit: 4791)
        CPU: 1.343s
     CGroup: /system.slice/redis.service
             └─9829 /usr/bin/redis-server 127.0.0.1:6379
$ redis-cli &lt; tutorial.txt
OK
"pluto"
OK
(integer) 8
(integer) 9
"9"
(integer) 1
(integer) 1
OK
(integer) 1
(integer) 40
(integer) 40
(integer) 40
OK
(integer) 1
(integer) 2
(integer) 3
1) "David"
2) "Suzy"
3) "Zack"
1) "David"
2) "Suzy"
1) "Suzy"
2) "Zack"
$ 

Results for this very basic script are as expected. Giving this a 32-bit OK, and Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-32-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-03-25 16:05:30 CET

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2021-21309

Comment 5 Mageia Robot 2021-03-27 15:28:39 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0155.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED