Fedora has issued an advisory on March 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BPWBIZXA67JFIB63W2CNVVILCGIC2ME5/ It looks like we are actually only affected by CVE-2021-29477. The issue is fixed upstream in 6.0.13.
CC: (none) => mageiaStatus comment: (none) => Fixed upstream in 6.0.13
In cauldron we have 6.0.11, then 6.2.0-6.2.3. All these were done by Stig, so assigning the bug to you.
Assignee: bugsquad => smelror
openSUSE has issued an advisory on June 5: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/B74HW6HBAH5TAP4L5LLUY3KI4JBTVQS3/ The issue (CVE-2021-32625) is fixed upstream in 6.0.14 and 6.2.4. It wouldn't go in our update advisory, as it's a CVE for an incomplete fix for CVE-2021-29477.
Status comment: Fixed upstream in 6.0.13 => Fixed upstream in 6.0.14
Fedora has issued an advisory for this on June 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/
Fedora advisory for 6.0.x: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/
Debian-LTS has issued an advisory on July 22: https://www.debian.org/lts/security/2021/dla-2717 The issue is fixed upstream in 6.0.15: https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj
Status comment: Fixed upstream in 6.0.14 => Fixed upstream in 6.0.15Summary: redis new security issues CVE-2021-29477 and CVE-2021-29478 => redis new security issues CVE-2021-2947[78] and CVE-2021-32761
Advisory ======== Redis has been updated to fix several security issues. CVE-2021-29477: An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. CVE-2021-29478: An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially result with remote code execution. CVE-2021-32761: A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. References ========== https://www.opencve.io/cve/CVE-2021-29477 https://www.opencve.io/cve/CVE-2021-29478 https://www.opencve.io/cve/CVE-2021-32761 https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj Files ===== Uploaded to core/updates_testing redis-6.0.15-1.mga8 from redis-6.0.15-1.mga8.src.rpm
Assignee: smelror => qa-bugs
Status comment: Fixed upstream in 6.0.15 => (none)
MGA8-64 Plasma on Lenovo B50 No installation issues Ref bug 24042Comment 1 for testing with thetutorial file. Repeating all results here as there are a few minor differences in the texts. # systemctl start redis # systemctl -l status redis ● redis.service - Redis persistent key-value database Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/redis.service.d └─limit.conf Active: active (running) since Sat 2021-07-24 15:05:36 CEST; 16s ago Main PID: 13659 (redis-server) Tasks: 5 (limit: 9402) Memory: 1.7M CPU: 43ms CGroup: /system.slice/redis.service └─13659 /usr/bin/redis-server 127.0.0.1:6379 jul 24 15:05:36 mach5.hviaene.thuis systemd[1]: Started Redis persistent key-value database. Then as normal user: $ redis-cli < tutorialredis.txt OK "pluto" OK (integer) 8 (integer) 9 "9" (integer) 1 (integer) 1 OK (integer) 1 (integer) 40 (integer) 40 (integer) 40 OK (integer) 1 (integer) 2 (integer) 3 1) "David" 2) "Suzy" 3) "Zack" 1) "David" 2) "Suzy" 1) "Suzy" 2) "Zack" $ redis-cli 127.0.0.1:6379> lrange friends 1-2<stop> (error) ERR wrong number of arguments for 'lrange' command 127.0.0.1:6379> lrange friends 1 2 1) "Suzy" 2) "Zack" 127.0.0.1:6379> GET server:name "pluto" 127.0.0.1:6379> set resource:lock "Demo 2" OK 127.0.0.1:6379> expire "Demo 2" 10 (integer) 0 127.0.0.1:6379> ttl resource:lock (integer) -1 127.0.0.1:6379> ttl resource:lock (integer) -1 127.0.0.1:6379> lpush friends "Lucy" (integer) 4 127.0.0.1:6379> lrange friends 7 7 (empty array) 127.0.0.1:6379> lrange friends 0 0 1) "Lucy" 127.0.0.1:6379> lrange friends 0 -1 1) "Lucy" 2) "David" 3) "Suzy" 4) "Zack" 127.0.0.1:6379> exit OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. type: security subject: Updated redis package fixes security vulnerabilities CVE: - CVE-2021-29477 - CVE-2021-29478 - CVE-2021-32761 src: 8: core: - redis-6.0.15-1.mga8 description: | An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution (CVE-2021-29477). An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially result with remote code execution (CVE-2021-29478). A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15 and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution (CVE-2021-32761). references: - https://bugs.mageia.org/show_bug.cgi?id=29036 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BPWBIZXA67JFIB63W2CNVVILCGIC2ME5/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/ - https://www.debian.org/lts/security/2021/dla-2717 - https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj
Keywords: (none) => advisory, validated_updateCVE: (none) => CVE-2021-2947[78] and CVE-2021-32761CC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0373.html
Status: NEW => RESOLVEDResolution: (none) => FIXED