Bug 25278 - redis new security issues CVE-2019-10192 and CVE-2019-10193
Summary: redis new security issues CVE-2019-10192 and CVE-2019-10193
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-12 00:35 CEST by David Walser
Modified: 2019-08-18 14:41 CEST (History)
4 users (show)

See Also:
Source RPM: redis-4.0.12-1.mga6.src.rpm
CVE:
Status comment: Fixed upstream in 4.0.14


Attachments

Description David Walser 2019-08-12 00:35:27 CEST
Debian has issued an advisory on July 11:
https://www.debian.org/security/2019/dsa-4480

The issues are fixed upstream in 4.0.14 and 5.0.4.
David Walser 2019-08-12 00:35:42 CEST

Status comment: (none) => Fixed upstream in 4.0.14
Severity: normal => major

Comment 1 David Walser 2019-08-12 00:58:43 CEST
Ubuntu has issued an advisory for this on July 16:
https://usn.ubuntu.com/4061-1/
Comment 2 Stig-Ørjan Smelror 2019-08-12 08:32:00 CEST
Advisory
========

This update fixes 2 security issues.

CVE-2019-10192: A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure
CVE-2019-10193: A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure

References
==========
https://www.debian.org/security/2019/dsa-4480
https://security-tracker.debian.org/tracker/CVE-2019-10192
https://security-tracker.debian.org/tracker/CVE-2019-10193
https://usn.ubuntu.com/4061-1/

Files
=====

redis-4.0.14-1.mga6

from redis-4.0.14-1.mga6.src.rpm
Stig-Ørjan Smelror 2019-08-12 08:32:13 CEST

Assignee: smelror => qa-bugs

Comment 3 Len Lawrence 2019-08-16 18:23:04 CEST
mga6, x86_64

Clean update from version 4.0.12 to 4.0.14.

$ sudo systemctl start redis
$ sudo systemctl enable redis
$ systemctl status redis● redis.service - Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor 
  Drop-In: /usr/lib/systemd/system/redis.service.d
           └─limit.conf
   Active: active (running) since Fri 2019-08-16 16:56:19 BST; 2min 51s ago
.....

Ran the simple tutorial exercise reported here several times before.
See bug 22465 for instance.
$ redis-cli
127.0.0.1:6379> set server:name pluto
OK
127.0.0.1:6379> GET server:name
"pluto"
127.0.0.1:6379> set connections 5
OK
127.0.0.1:6379> incr connections
(integer) 6
127.0.0.1:6379> incr connections
(integer) 7
127.0.0.1:6379> get connections
"7"
127.0.0.1:6379> del connections
(integer) 1
127.0.0.1:6379> incr connections
(integer) 1
127.0.0.1:6379> set resource:lock "Redis Demo 1"
OK
127.0.0.1:6379> expire resource:lock 40
(integer) 1
127.0.0.1:6379> ttl resource:lock
(integer) -2
127.0.0.1:6379> set resource:lock "Demo 2"
OK
127.0.0.1:6379> rpush friends "Suzy"
(integer) 8
127.0.0.1:6379> rpush friends "Zack"
(integer) 9
127.0.0.1:6379> lpush friends "David"
(integer) 10
127.0.0.1:6379> lpush friends "David"
(integer) 11
127.0.0.1:6379> lrange friends 0 -1
 1) "David"
 2) "David"
 3) "Lucy"
 4) "David"
 5) "David"
 6) "Suzy"
 7) "Zack"
 8) "Suzy"
 9) "Zack"
10) "Suzy"
11) "Zack"
127.0.0.1:6379> lrange friends 0 1
1) "David"
2) "David"
127.0.0.1:6379> lrange friends 1 2
1) "David"
2) "Lucy"
127.0.0.1:6379> exit
$
This confirms the persistence of the database from earlier tests.  Up arrow functions as expected and where extra input is possible the system provides an unobtrusive prompt on the rest of the commandline, describing the options.

At this simple level the system works.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2019-08-18 02:58:17 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-08-18 13:06:12 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2019-08-18 14:41:02 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0226.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.