Debian has issued an advisory on June 17: https://www.debian.org/security/2018/dsa-4230 The issues are fixed upstream in 4.0.10 (already updated in Cauldron): http://antirez.com/news/119
Done also for mga6!
Advisory: ======================== Updated redis package fixes security vulnerabilities: Multiple vulnerabilities were discovered in the Lua subsystem of Redis which could result in denial of service (CVE-2018-11218, CVE-2018-11219). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11218 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11219 http://antirez.com/news/119 https://www.debian.org/security/2018/dsa-4230 ======================== Updated packages in core/updates_testing: ======================== redis-4.0.10-1.mga6 from redis-4.0.10-1.mga6.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210
MGA6-32 on IBM Thinkpad R50e MATE Ref. to bug 22465 Comment 4 and bug 19158 Comment 2 and the raw commands attachment. # systemctl start redis # systemctl -l status redis ● redis.service - Redis persistent key-value database Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: enabled) Drop-In: /usr/lib/systemd/system/redis.service.d └─limit.conf Active: active (running) since zo 2018-07-01 10:11:10 CEST; 15s ago Main PID: 15912 (redis-server) CGroup: /system.slice/redis.service └─15912 /usr/bin/redis-server 127.0.0.1:6379 jul 01 10:11:10 <pcid> systemd[1]: Started Redis persistent key-value database. $ redis-cli < redistutorial OK "pluto" OK (integer) 8 (integer) 9 "9" (integer) 1 (integer) 1 OK (integer) 1 (integer) 40 (integer) 40 (integer) 40 OK (integer) 1 (integer) 2 (integer) 3 1) "David" 2) "Suzy" 3) "Zack" 1) "David" 2) "Suzy" 1) "Suzy" 2) "Zack" Seems OK
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Mageia 6, x86_64 At least one reproducer for CVE-2018-11218, at https://gist.github.com/antirez/82445fcbea6d9b19f97014cc6cc79f8a. Following up on this later.
CC: (none) => tarazed25
Created attachment 10269 [details] Python script to reproduce CVE-2018-11218 problem Described at https://github.com/antirez/redis/commit/52a00201fca331217c3b4b8b634f6a0f57d6b7d3 Note that it does not seem to work.
Before the update: redis-4.0.7-1.mga6 CVE-2018-11218 Created the trigger.py script referred to on the link quoted in comment 4. Started the redis service and ran the trigger - no effect on the server. $ python trigger.py $ systemctl status -l redis ● redis.service - Redis persistent key-value database Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset Drop-In: /usr/lib/systemd/system/redis.service.d └─limit.conf Active: active (running) since Thu 2018-07-05 08:16:41 BST; 48s ago Process: 26362 ExecStop=/usr/libexec/redis-shutdown (code=exited, status=0/SUCCESS) Main PID: 26369 (redis-server) CGroup: /system.slice/redis.service └─26369 /usr/bin/redis-server 127.0.0.1:6379 The expected result is a "stack smash" resulting in a DoS which is supposed to crash the server. Since there is no sign of that one may conclude that the problem had already been fixed in earlier versions but note that https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES indicates that it was not fixed until 4.0.10. CVE-2018-11219 https://github.com/antirez/redis/commit/e89086e09a38cc6713bcd4b9c29abf92cf393936 $ lua -e "return struct.unpack('f', 'xxxxxxxxxxxxx', -3)" lua: (command line):1: attempt to index global 'struct' (a nil value) stack traceback: (command line):1: in main chunk [C]: in ? This looks like a coding problem and a misunderstanding on my part so it is best to skip it. Updated to redis-4.0.10-1 and restarted the server. Ran the tutorial script against redis-cli and produced the same output as comment 3. repeating the script here: SET server:name "pluto" GET server:name set connections 7 incr connections incr connections get connections del connections incr connections set resource:lock "Redis Demo 1" expire resource:lock 40 ttl resource:lock ttl resource:lock ttl resource:lock set resource:lock "Demo 2" rpush friends "Suzy" rpush friends "Zack" lpush friends "David" lrange friends 0 -1 lrange friends 0 1 lrange friends 1 2 exit No regressions so this is good for 64-bits as well.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0309.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed CVE-2018-12326: https://bugzilla.redhat.com/show_bug.cgi?id=1594291