SUSE has issued an advisory on November 22: https://lists.suse.com/pipermail/sle-security-updates/2022-November/013069.html Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2REKANCQMN2XQP3CDYJ4ZJ5GUANMZR7L/
Stig seems to have adopted the maintenance of 'redis', so assigning this to you.
Assignee: bugsquad => smelror
Update pushed to Cauldron - redis-7.0.5-2
openSUSE patch for 6.x: https://build.opensuse.org/package/view_file/SUSE:SLE-15-SP4:Update/redis/cve-2022-3647.patch?expand=1
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)Source RPM: redis-7.0.5-1.mga9.src.rpm => redis-6.0.16-1.1.mga8.src.rpm
Status comment: (none) => Patch available from openSUSE
If it makes a difference, that one was for 6.2.x, this is for 6.0.x: https://build.opensuse.org/package/view_file/SUSE:SLE-15-SP2:Update/redis/cve-2022-3647.patch?expand=1
Fedora has issued an advisory today (January 26): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5ZSLYA4PWO5KDXYHZ6UOIEPQ43S7L6WN/ The issue is fixed upstream in 6.0.17.
Summary: redis new security issue CVE-2022-3647 => redis new security issues CVE-2022-3647 and CVE-2022-35977Status comment: Patch available from openSUSE => Fixed upstream in 6.0.17 plus patch available from openSUSESeverity: normal => major
(In reply to David Walser from comment #6) > Fedora has issued an advisory today (January 26): > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/5ZSLYA4PWO5KDXYHZ6UOIEPQ43S7L6WN/ > > The issue is fixed upstream in 6.0.17. SUSE/openSUSE has issued an advisory for this today (February 7): https://lists.suse.com/pipermail/sle-security-updates/2023-February/013641.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CGMITC46BLQHJWK367Z6BPW2T6RMSK3A/ It also fixes a new issue (CVE-2023-22458) that is fixed upstream in 7.0.8 (already updated in Cauldron). I don't know if that one affects 6.x.
Depends on: (none) => 31744
Cauldron has been updated to version 7.0.11. MGA8 has been updated to version 6.0.19. Closing as fixed.
Status: NEW => RESOLVEDResolution: (none) => FIXED
Mageia 8 hasn't been updated to 6.0.19 yet, that's pending in Bug 31809.
Resolution: FIXED => (none)Depends on: (none) => 31809Status: RESOLVED => REOPENED
Depends on: (none) => 31616
CVE-2022-35977 was fixed in Bug 31616. Hopefully CVE-2022-3647 is fixed in Bug 31809.
Fixed in: https://advisories.mageia.org/MGASA-2023-0156.html
Status: REOPENED => RESOLVEDResolution: (none) => FIXED