Fedora has issued advisories on October 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ The issues are fixed upstream in 6.0.16 and 6.2.6 (already updated in Cauldron).
Status comment: (none) => Fixed upstream in 6.0.16See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29549Version: Cauldron => 8
Advisory ======== Redis has been updated to fix several security issues. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32626 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32627 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32628 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32672 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32675 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32687 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41099 Files ===== Uploaded to core/updates_testing redis-6.0.16-1.mga8 from redis-6.0.16-1.mga8.src.rpm
Assignee: smelror => qa-bugs
CC: (none) => smelror
Please include a real advisory (you can get descriptions of the security issues from the RedHat bugs), and remember to leave yourself in CC when assigning to QA.
Status comment: Fixed upstream in 6.0.16 => (none)
@Stig, apropos of comment 2 and Dave Hodgins attempts to encourage QA testers to become more involved in the advisory side I am willing to try to give you a hand in this provided somebody with more experience approves the text. My SVN commit rights don't seem to work though.
CC: (none) => tarazed25
$ rpm -q redis package redis is not installed Installed it. (medium "Core Release") lib64jemalloc2 5.2.1 3.mga8 x86_64 (medium "Core Updates") redis 6.0.15 1.mga8 x86_64 Started redis service and checked redis-cli with earlier tutorial script. https://bugs.mageia.org/show_bug.cgi?id=24042 $ redis-cli 127.0.0.1:6379> get server:name (nil) 127.0.0.1:6379> exit $ redis-cli < tutorial ........ $ redis-cli 127.0.0.1:6379> get server:name "rapunzel" .... Clean update with qarepo. $ rpm -q redis redis-6.0.16-1.mga8 $ sudo systemctl restart redis $ redis-cli < tutorial OK "rapunzel" OK (integer) 8 (integer) 9 "9" (integer) 1 (integer) 1 OK (integer) 1 (integer) 40 (integer) 40 (integer) 40 OK (integer) 4 (integer) 5 (integer) 6 1) "Polly" 2) "Polly" 3) "Sukie" ..... Expected output, no regressions. $ urpmq --whatrequires redis | uniq ntopng Installed ntopng. $ su - Password: # ntopng -i eno1 # strace -o ntopng.trace ntopng -i eno1 14/Oct/2021 17:34:48 [Ntop.cpp:2336] Setting local networks to 127.0.0.0/8,fe80::/10 14/Oct/2021 17:34:48 [Redis.cpp:157] Successfully connected to redis 127.0.0.1:6379@0 14/Oct/2021 17:34:48 [Redis.cpp:157] Successfully connected to redis 127.0.0.1:6379@0 ........... 14/Oct/2021 17:34:54 [NetworkInterface.cpp:1701] WARNING: If you have TSO/GRO enabled, please disable it 14/Oct/2021 17:34:54 [NetworkInterface.cpp:1703] WARNING: Use sudo ethtool -K eno1 gro off gso off tso off ^C 14/Oct/2021 17:36:52 [main.cpp:50] Shutting down... 14/Oct/2021 17:36:52 [PcapInterface.cpp:336] Terminated packet polling for eno1 14/Oct/2021 17:36:52 [NetworkInterface.cpp:2621] Flow dump thread completed for eno1 14/Oct/2021 17:36:55 [Ntop.cpp:2540] Terminating periodic activities ........... 14/Oct/2021 17:36:57 [NetworkInterface.cpp:544] Flushing host contacts for interface eno1 14/Oct/2021 17:36:57 [NetworkInterface.cpp:2778] Cleanup interface eno1 14/Oct/2021 17:36:57 [AddressResolution.cpp:63] Address resolution stats [7 resolved][2 failures] # grep redis ntopng.trace | wc -l 92 Most of the entries were similar to this: openat(AT_FDCWD, "/var/lib/ntopng/plugins0/ts_schemas/redis_monitor", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 23 These superficial tests work so this gets an OK.
Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
(In reply to Len Lawrence from comment #3) > @Stig, apropos of comment 2 and Dave Hodgins attempts to encourage QA > testers to become more involved in the advisory side I am willing to try to > give you a hand in this provided somebody with more experience approves the > text. My SVN commit rights don't seem to work though. Len, this isn't what Dave was talking about. Dave was talking about commiting the advisories to SVN. Before you can do that, we have to *have* an advisory to commit, which we don't, and the packager is supposed to provide that.
Advisory ======== Redis has been updated to fix several security issues. CVE-2021-32626: Specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. CVE-2021-32627: An integer overflow bug in Redis 5.0 or newer can be exploited to corrupt the heap and potentially result with remote code execution. CVE-2021-32628: An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. CVE-2021-32672: When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. CVE-2021-32675: When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). CVE-2021-32687: An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution. CVE-2021-32762: The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. CVE-2021-41099: An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32626 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32627 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32628 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32672 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32675 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32687 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41099 Files ===== Uploaded to core/updates_testing redis-6.0.16-1.mga8 from redis-6.0.16-1.mga8.src.rpm
Thanks. The first Fedora advisory from Comment 0 can be included in the references.
@David regarding comment 6. Thanks for the clarification - saved me some work.
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0483.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED