Bug 28452 - redis new security issue CVE-2021-21309
Summary: redis new security issue CVE-2021-21309
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 28492
  Show dependency treegraph
 
Reported: 2021-02-26 18:15 CET by David Walser
Modified: 2021-03-27 15:28 CET (History)
4 users (show)

See Also:
Source RPM: redis-6.0.9-1.mga8.src.rpm
CVE: CVE-2021-21309
Status comment:


Attachments

Description David Walser 2021-02-26 18:15:27 CET
Debian-LTS has issued an advisory on February 25:
https://www.debian.org/lts/security/2021/dla-2576

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-26 18:15:40 CET

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Patch available from Debian

Comment 1 Lewis Smith 2021-02-27 09:31:33 CET
Assigning to Stig as the active maintainer of 'redis'.

Assignee: bugsquad => smelror

Nicolas Lécureuil 2021-02-28 21:54:34 CET

Blocks: (none) => 28492

Comment 2 Nicolas Lécureuil 2021-02-28 21:56:10 CET
fixed in cauldron.

I cloned the bugreport for mga7.

Fixed for mga8:
       -  redis-6.0.11-1.mga8

Whiteboard: MGA8TOO, MGA7TOO => (none)
Version: Cauldron => 8
CC: (none) => mageia
Assignee: smelror => qa-bugs

David Walser 2021-03-01 17:49:57 CET

Status comment: Patch available from Debian => (none)

Comment 3 David Walser 2021-03-03 02:03:50 CET
Advisory:
========================

Updated redis packages fix security vulnerability:

It was discovered that there were a number of integer overflow issues in Redis.
It is currently believed that the issues only affect 32-bit based systems
(CVE-2021-21309).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21309
https://www.debian.org/lts/security/2021/dla-2576
Comment 4 Thomas Andrews 2021-03-24 23:07:57 CET
Testing this on 32-bit hardware because of the advisory.

Installed redis and dependency on a 32-bit mga8 Xfce4 system, then used qarepo to get the update. No installation issues. 

Referenced Bug 24042 for testing procedure:

$ su
Password: 
# systemctl start redis.service
# exit
exit
$ systemctl status redis.service
<font color="#55FF55"><b>●</b></font> redis.service - Redis persistent key-value database
     Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; vendor pr<span style="background-color:#FFFFFF"><font color="#000000">&gt;</font></span>
    Drop-In: /usr/lib/systemd/system/redis.service.d
             └─limit.conf
     Active: <font color="#55FF55"><b>active (running)</b></font> since Wed 2021-03-24 17:53:06 EDT; 59s ago
   Main PID: 9829 (redis-server)
      Tasks: 5 (limit: 4791)
        CPU: 1.343s
     CGroup: /system.slice/redis.service
             └─9829 /usr/bin/redis-server 127.0.0.1:6379
$ redis-cli &lt; tutorial.txt
OK
"pluto"
OK
(integer) 8
(integer) 9
"9"
(integer) 1
(integer) 1
OK
(integer) 1
(integer) 40
(integer) 40
(integer) 40
OK
(integer) 1
(integer) 2
(integer) 3
1) "David"
2) "Suzy"
3) "Zack"
1) "David"
2) "Suzy"
1) "Suzy"
2) "Zack"
$ 

Results for this very basic script are as expected. Giving this a 32-bit OK, and Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-32-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-03-25 16:05:30 CET

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2021-21309

Comment 5 Mageia Robot 2021-03-27 15:28:39 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0155.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.