Bug 28492 - redis new security issue CVE-2021-21309
Summary: redis new security issue CVE-2021-21309
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on: 28452
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-28 21:54 CET by Nicolas Lécureuil
Modified: 2021-07-09 00:44 CEST (History)
5 users (show)

See Also:
Source RPM: redis-5.0.9-1.mga7.src.rpm
CVE: CVE-2021-21309
Status comment:


Attachments

Description Nicolas Lécureuil 2021-02-28 21:54:34 CET
Cloning as fixing for mageia 7 will take more time

+++ This bug was initially created as a clone of Bug #28452 +++

Debian-LTS has issued an advisory on February 25:
https://www.debian.org/lts/security/2021/dla-2576

Mageia 7 and Mageia 8 are also affected.
Comment 1 Aurelien Oudelet 2021-02-28 22:35:32 CET
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CVE: (none) => CVE-2021-21309
CC: luigiwalser, security => ouaurelien
Source RPM: redis-6.0.9-1.mga8.src.rpm => redis-5.0.9-1.mga7.src.rpm
Assignee: bugsquad => mageia

David Walser 2021-03-01 17:50:20 CET

Status comment: (none) => Patch available from Debian

Comment 2 David Walser 2021-06-28 18:00:01 CEST
Advisory:
========================

Updated redis packages fix security vulnerability:

It was discovered that there were a number of integer overflow issues in Redis.
It is currently believed that the issues only affect 32-bit based systems
(CVE-2021-21309).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21309
https://www.debian.org/lts/security/2021/dla-2576
========================

Updated packages in core/updates_testing:
========================
redis-5.0.9-1.1.mga7

from redis-5.0.9-1.1.mga7.src.rpm

Assignee: mageia => qa-bugs
Status comment: Patch available from Debian => (none)

Comment 3 Herman Viaene 2021-07-08 15:50:46 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 19158 for testfile.
# systemctl start redis
# systemctl -l status redis
● redis.service - Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/redis.service.d
           └─limit.conf
   Active: active (running) since Thu 2021-07-08 15:41:55 CEST; 18s ago
 Main PID: 15517 (redis-server)
    Tasks: 4 (limit: 4915)
   Memory: 2.0M
   CGroup: /system.slice/redis.service
           └─15517 /usr/bin/redis-server 127.0.0.1:6379

Jul 08 15:41:55 mach5.hviaene.thuis systemd[1]: Started Redis persistent key-value database.


$ redis-cli < tutorialredis 
OK
"pluto"
OK
(integer) 8
(integer) 9
"9"
(integer) 1
(integer) 1
OK
(integer) 1
(integer) 40
(integer) 40
(integer) 40
OK
(integer) 1
(integer) 2
(integer) 3
1) "David"
2) "Suzy"
3) "Zack"
1) "David"
2) "Suzy"
1) "Suzy"
2) "Zack"
 Looks OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2021-07-08 21:20:08 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-07-08 22:44:39 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-07-09 00:44:49 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0317.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.