Bug 28492

Summary: redis new security issue CVE-2021-21309
Product: Mageia Reporter: Nicolas Lécureuil <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, ouaurelien, smelror, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: redis-5.0.9-1.mga7.src.rpm CVE: CVE-2021-21309
Status comment:
Bug Depends on: 28452    
Bug Blocks:    

Description Nicolas Lécureuil 2021-02-28 21:54:34 CET 
Cloning as fixing for mageia 7 will take more time

+++ This bug was initially created as a clone of Bug #28452 +++

Debian-LTS has issued an advisory on February 25:
https://www.debian.org/lts/security/2021/dla-2576

Mageia 7 and Mageia 8 are also affected.
Comment 1 Aurelien Oudelet 2021-02-28 22:35:32 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CVE: (none) => CVE-2021-21309
CC: luigiwalser, security => ouaurelien
Source RPM: redis-6.0.9-1.mga8.src.rpm => redis-5.0.9-1.mga7.src.rpm
Assignee: bugsquad => mageia

David Walser 2021-03-01 17:50:20 CET

Status comment: (none) => Patch available from Debian

Comment 2 David Walser 2021-06-28 18:00:01 CEST 
Advisory:
========================

Updated redis packages fix security vulnerability:

It was discovered that there were a number of integer overflow issues in Redis.
It is currently believed that the issues only affect 32-bit based systems
(CVE-2021-21309).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21309
https://www.debian.org/lts/security/2021/dla-2576
========================

Updated packages in core/updates_testing:
========================
redis-5.0.9-1.1.mga7

from redis-5.0.9-1.1.mga7.src.rpm

Assignee: mageia => qa-bugs
Status comment: Patch available from Debian => (none)

Comment 3 Herman Viaene 2021-07-08 15:50:46 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 19158 for testfile.
# systemctl start redis
# systemctl -l status redis
● redis.service - Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/redis.service.d
           └─limit.conf
   Active: active (running) since Thu 2021-07-08 15:41:55 CEST; 18s ago
 Main PID: 15517 (redis-server)
    Tasks: 4 (limit: 4915)
   Memory: 2.0M
   CGroup: /system.slice/redis.service
           └─15517 /usr/bin/redis-server 127.0.0.1:6379

Jul 08 15:41:55 mach5.hviaene.thuis systemd[1]: Started Redis persistent key-value database.


$ redis-cli < tutorialredis 
OK
"pluto"
OK
(integer) 8
(integer) 9
"9"
(integer) 1
(integer) 1
OK
(integer) 1
(integer) 40
(integer) 40
(integer) 40
OK
(integer) 1
(integer) 2
(integer) 3
1) "David"
2) "Suzy"
3) "Zack"
1) "David"
2) "Suzy"
1) "Suzy"
2) "Zack"
 Looks OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2021-07-08 21:20:08 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-07-08 22:44:39 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-07-09 00:44:49 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0317.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED