Debian has issued an advisory on July 11: https://www.debian.org/security/2019/dsa-4480 The issues are fixed upstream in 4.0.14 and 5.0.4.
Status comment: (none) => Fixed upstream in 4.0.14Severity: normal => major
Ubuntu has issued an advisory for this on July 16: https://usn.ubuntu.com/4061-1/
Advisory ======== This update fixes 2 security issues. CVE-2019-10192: A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure CVE-2019-10193: A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure References ========== https://www.debian.org/security/2019/dsa-4480 https://security-tracker.debian.org/tracker/CVE-2019-10192 https://security-tracker.debian.org/tracker/CVE-2019-10193 https://usn.ubuntu.com/4061-1/ Files ===== redis-4.0.14-1.mga6 from redis-4.0.14-1.mga6.src.rpm
Assignee: smelror => qa-bugs
mga6, x86_64 Clean update from version 4.0.12 to 4.0.14. $ sudo systemctl start redis $ sudo systemctl enable redis $ systemctl status redis● redis.service - Redis persistent key-value database Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor Drop-In: /usr/lib/systemd/system/redis.service.d └─limit.conf Active: active (running) since Fri 2019-08-16 16:56:19 BST; 2min 51s ago ..... Ran the simple tutorial exercise reported here several times before. See bug 22465 for instance. $ redis-cli 127.0.0.1:6379> set server:name pluto OK 127.0.0.1:6379> GET server:name "pluto" 127.0.0.1:6379> set connections 5 OK 127.0.0.1:6379> incr connections (integer) 6 127.0.0.1:6379> incr connections (integer) 7 127.0.0.1:6379> get connections "7" 127.0.0.1:6379> del connections (integer) 1 127.0.0.1:6379> incr connections (integer) 1 127.0.0.1:6379> set resource:lock "Redis Demo 1" OK 127.0.0.1:6379> expire resource:lock 40 (integer) 1 127.0.0.1:6379> ttl resource:lock (integer) -2 127.0.0.1:6379> set resource:lock "Demo 2" OK 127.0.0.1:6379> rpush friends "Suzy" (integer) 8 127.0.0.1:6379> rpush friends "Zack" (integer) 9 127.0.0.1:6379> lpush friends "David" (integer) 10 127.0.0.1:6379> lpush friends "David" (integer) 11 127.0.0.1:6379> lrange friends 0 -1 1) "David" 2) "David" 3) "Lucy" 4) "David" 5) "David" 6) "Suzy" 7) "Zack" 8) "Suzy" 9) "Zack" 10) "Suzy" 11) "Zack" 127.0.0.1:6379> lrange friends 0 1 1) "David" 2) "David" 127.0.0.1:6379> lrange friends 1 2 1) "David" 2) "Lucy" 127.0.0.1:6379> exit $ This confirms the persistence of the database from earlier tests. Up arrow functions as expected and where extra input is possible the system provides an unobtrusive prompt on the rest of the commandline, describing the options. At this simple level the system works.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0226.html
Status: NEW => RESOLVEDResolution: (none) => FIXED