Bug 31174 - redis new security issues CVE-2022-3647 and CVE-2022-35977
Summary: redis new security issues CVE-2022-3647 and CVE-2022-35977
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Stig-Ørjan Smelror
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on: 31616 31744 31809
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-23 20:44 CET by David Walser
Modified: 2023-04-24 03:46 CEST (History)
0 users

See Also:
Source RPM: redis-6.0.16-1.1.mga8.src.rpm
CVE:
Status comment: Fixed upstream in 6.0.17 plus patch available from openSUSE

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-11-23 20:44:08 CET 
SUSE has issued an advisory on November 22:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/013069.html

Mageia 8 is also affected.
David Walser 2022-11-23 20:44:18 CET

Whiteboard: (none) => MGA8TOO

Comment 2 Lewis Smith 2022-11-23 21:05:13 CET 
Stig seems to have adopted the maintenance of 'redis', so assigning this to you.

Assignee: bugsquad => smelror

Comment 3 Stig-Ørjan Smelror 2022-11-23 23:22:59 CET 
Update pushed to Cauldron - redis-7.0.5-2
Comment 4 David Walser 2022-11-24 01:14:51 CET 
openSUSE patch for 6.x:
https://build.opensuse.org/package/view_file/SUSE:SLE-15-SP4:Update/redis/cve-2022-3647.patch?expand=1

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: redis-7.0.5-1.mga9.src.rpm => redis-6.0.16-1.1.mga8.src.rpm

David Walser 2022-11-24 01:15:02 CET

Status comment: (none) => Patch available from openSUSE

Comment 5 David Walser 2022-11-24 01:16:50 CET 
If it makes a difference, that one was for 6.2.x, this is for 6.0.x:
https://build.opensuse.org/package/view_file/SUSE:SLE-15-SP2:Update/redis/cve-2022-3647.patch?expand=1
Comment 6 David Walser 2023-01-27 00:22:29 CET 
Fedora has issued an advisory today (January 26):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5ZSLYA4PWO5KDXYHZ6UOIEPQ43S7L6WN/

The issue is fixed upstream in 6.0.17.

Summary: redis new security issue CVE-2022-3647 => redis new security issues CVE-2022-3647 and CVE-2022-35977
Status comment: Patch available from openSUSE => Fixed upstream in 6.0.17 plus patch available from openSUSE
Severity: normal => major

Comment 7 David Walser 2023-02-07 17:17:07 CET 
(In reply to David Walser from comment #6)
> Fedora has issued an advisory today (January 26):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/5ZSLYA4PWO5KDXYHZ6UOIEPQ43S7L6WN/
> 
> The issue is fixed upstream in 6.0.17.

SUSE/openSUSE has issued an advisory for this today (February 7):
https://lists.suse.com/pipermail/sle-security-updates/2023-February/013641.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CGMITC46BLQHJWK367Z6BPW2T6RMSK3A/

It also fixes a new issue (CVE-2023-22458) that is fixed upstream in 7.0.8 (already updated in Cauldron).  I don't know if that one affects 6.x.
David Walser 2023-03-30 23:40:05 CEST

Depends on: (none) => 31744

Comment 8 Stig-Ørjan Smelror 2023-04-18 14:10:01 CEST 
Cauldron has been updated to version 7.0.11.
MGA8 has been updated to version 6.0.19.

Closing as fixed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2023-04-20 17:50:21 CEST 
Mageia 8 hasn't been updated to 6.0.19 yet, that's pending in Bug 31809.

Resolution: FIXED => (none)
Depends on: (none) => 31809
Status: RESOLVED => REOPENED

David Walser 2023-04-20 17:50:38 CEST

Depends on: (none) => 31616

Comment 10 David Walser 2023-04-20 17:51:51 CEST 
CVE-2022-35977 was fixed in Bug 31616.  Hopefully CVE-2022-3647 is fixed in Bug 31809.
Comment 11 David Walser 2023-04-24 03:46:19 CEST 
Fixed in:
https://advisories.mageia.org/MGASA-2023-0156.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.