Debian has issued an advisory on July 19: https://www.debian.org/security/2020/dsa-4731 The issue is fixed upstream in 5.0.8.
What do you suggest? To update to 5.0.8, 5.0.9 or go for 6.0.6 released recently? Cheers, Stig
5.0.9 sounds like the best bet (newest in our current branch).
Advisory ======== Redis has been updated to fix a security issue. CVE-2020-14147 - An integer overflow in the getnum function in lua_struct.c References ========== https://nvd.nist.gov/vuln/detail/CVE-2020-14147 https://www.debian.org/security/2020/dsa-4731 Files ===== Uploaded to core/updates_testing redis-5.0.9-1.mga7 from redis-5.0.9-1.mga7.src.rpm
Assignee: smelror => qa-bugs
mga7, x86_64 CVE-2020-14147 https://github.com/redis/redis/issues/2855 This is a "simple" PoC used iwith an earlier version of redis, recommended to reproduce the stack-based buffer overflow in the latest version. However, there is no direction on how to use it - cannot get it to work here because lua does not include structs from what I read elsewhere. The Lua programming manual does not mention them. $ lua Lua 5.3.5 Copyright (C) 1994-2018 Lua.org, PUC-Rio > EVAL "struct.pack('>I2147483648', '10')" 0 stdin:1: unexpected symbol near '0' > struct.pack('>I2147483648', '10') stdin:1: attempt to index a nil value (global 'struct') stack traceback: stdin:1: in main chunk [C]: in ? Giving up on that. Tested redis before updating by starting the redis service and running a tutorial script against redis-cli which produced the expected results. The script was last used on https://bugs.mageia.org/show_bug.cgi?id=24042 Updated redis. $ sudo systemctl restart redis.service $ redis-cli 127.0.0.1:6379> get server:name "pluto" 127.0.0.1:6379> exit So, the database is persistent. Ran the tutorial script using a new server name. $ redis-cli < tutorial OK "rapunzel" OK (integer) 8 (integer) 9 "9" (integer) 1 (integer) 1 OK (integer) 1 (integer) 40 (integer) 40 (integer) 40 OK (integer) 4 (integer) 5 (integer) 6 1) "David" 2) "David" 3) "Suzy" 4) "Zack" 5) "Suzy" 6) "Zack" 1) "David" 2) "David" 1) "David" 2) "Suzy" Made some trivial changes to the tutorial script: $ redis-cli < tutorial OK "rapunzel" OK (integer) 8 (integer) 9 "9" (integer) 1 (integer) 1 OK (integer) 1 (integer) 40 (integer) 40 (integer) 40 OK (integer) 7 (integer) 8 (integer) 9 1) "Polly" 2) "David" 3) "David" 4) "Suzy" 5) "Zack" 6) "Suzy" 7) "Zack" 8) "Sukie" 9) "Zack" 1) "Polly" 2) "David" 1) "David" 2) "David" No regressions. Giving this an OK for 64-bits.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0312.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
*** Bug 27881 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu