Fedora has issued an advisory today (May 7): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VPYKSG7LKUJGVM2P72EHXKVRVRWHLORX/ The issues are fixed upstream in 6.2.7: https://github.com/redis/redis/security/advisories/GHSA-647m-2wmq-qmvq https://github.com/redis/redis/security/advisories/GHSA-3qpw-7686-5984 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 6.2.7
kekepower is the active maintainer of this package, so assigning this update to you. You did version 6.2.6 and loads of previous ones.
Assignee: bugsquad => smelror
openSUSE has issued an advisory for this on May 25: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NERGELOQ43TXPK5SCGTMYFI4KDXITL74/
Suggested advisory: ======================== The updated package fixes security vulnerabilities: Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules. (CVE-2022-24735) Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules. (CVE-2022-24736) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24735 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24736 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VPYKSG7LKUJGVM2P72EHXKVRVRWHLORX/ https://github.com/redis/redis/security/advisories/GHSA-647m-2wmq-qmvq https://github.com/redis/redis/security/advisories/GHSA-3qpw-7686-5984 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NERGELOQ43TXPK5SCGTMYFI4KDXITL74/ ======================== Updated package in core/updates_testing: ======================== redis-6.0.16-1.1.mga8 from SRPM: redis-6.0.16-1.1.mga8.src.rpm
Assignee: smelror => qa-bugsWhiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroSource RPM: redis-6.2.6-2.mga9.src.rpm => redis-6.0.16-1.mga8.src.rpmStatus comment: Fixed upstream in 6.2.7 => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 8
mga8, x64 Installed current version and started the redis service: status = Started Redis persistent key-value database. There is some analysis of the problems covered by the CVEs at https://github.com/redis/redis/pull/10651. It looks like somebody with knowledge of lua could run the tests in interactive mode. Referred to tutorial script on bug 24042. $ cat tutorial GET server:name set connections 7 incr connections incr connections get connections del connections incr connections set resource:lock "Redis Demo 1" expire resource:lock 40 ttl resource:lock ttl resource:lock ttl resource:lock set resource:lock "Demo 2" rpush friends "Sukie" rpush friends "Zack" lpush friends "Polly" lrange friends 0 -1 lrange friends 0 1 lrange friends 1 2 exit $ redis-cli < tutorial That returned expected results. Updated the redis package from testing and restarted the server. $ redis-cli < tutorial OK "rapunzel" OK (integer) 8 (integer) 9 "9" (integer) 1 (integer) 1 OK (integer) 1 (integer) 40 (integer) 40 (integer) 40 OK (integer) 4 (integer) 5 (integer) 6 1) "Polly" 2) "Polly" 3) "Sukie" 4) "Zack" 5) "Sukie" 6) "Zack" 1) "Polly" 2) "Polly" 1) "Polly" 2) "Sukie" As before. Another minimal test but hope it serves. $ urpmq --whatrequires redis ntopng redis Installed ntopng and ran it in the simplest way possible to monitor the local ethernet connection. $ ntopng -i enp3s0 <specimen output> 18/Sep/2022 17:09:27 [startup.lua:144] [lists_utils.lua:411] Updating list 'Emerging Threats' [https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt]... OK 18/Sep/2022 17:09:27 [startup.lua:144] [lists_utils.lua:411] Updating list 'Feodo Tracker Botnet C2 IP Blocklist' [https://feodotracker.abuse.ch/downloads/ipblocklist.txt]... OK 18/Sep/2022 17:09:28 [startup.lua:144] [lists_utils.lua:411] Updating list 'NoCoin Filter List' [https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt]... OK 18/Sep/2022 17:09:28 [startup.lua:144] [lists_utils.lua:411] Updating list 'SSLBL Botnet C2 IP Blacklist' [https://sslbl.abuse.ch/blacklist/sslipblacklist.txt]... OK Closed down using Ctrl-C. # strace -o ntopng.trace ntopng -i enp3s0 # grep redis ntopng.trace openat(AT_FDCWD, "/lib64/libhiredis.so.0.13", O_RDONLY|O_CLOEXEC) = 3 read(8, "$3707\r\n# Server\r\nredis_version:6"..., 16384) = 3716 read(9, "$3708\r\n# Server\r\nredis_version:6"..., 16384) = 3717 read(10, " inconsistent redis state as:\n "..., 4096) = 2666 stat("/var/lib/ntopng/plugins0/callbacks/system/system/redis_monitor.lua", {st_mode=S_IFREG|0600, st_size=3639, ...}) = 0 ......... resis is being used successfully by the looks of that.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0339.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED