Upstream have released version 7.0.14/7.2.2 to fix CVE-2023-45145. (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup. https://github.com/redis/redis/releases/tag/7.0.14
Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2023-45145Status comment: (none) => Fixed upstream in version 7.0.14/7.2.2
Cauldron updated.
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9
Advisory ======== Redis upstream published a fix for CVE-2023-45145. CVE-2023-45145: The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup. References ========== https://github.com/redis/redis/releases/tag/7.0.14 Files ===== Uploaded to core/updates_testing redis-7.0.14-1.mga9 from redis-7.0.14-1.mga9.src.rpm
Assignee: smelror => qa-bugs
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
CC: (none) => marja11Keywords: (none) => advisory
Installed using qarepo; no issue. Service runs fine after update: ``` ● redis.service - Redis persistent key-value database Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; preset: disabled) Drop-In: /usr/lib/systemd/system/redis.service.d └─limit.conf Active: active (running) since Sun 2023-10-22 19:39:33 CEST; 56s ago Main PID: 21333 (redis-server) Tasks: 5 (limit: 38410) Memory: 2.8M CPU: 55ms CGroup: /system.slice/redis.service └─21333 "/usr/bin/redis-server unixsocket:/tmp/redis.sock" oct. 22 19:39:33 cbct-serv systemd[1]: Started redis.service. ``` Extract of log, before and after the update. It looks like it works as before. The WARNING Memory overcommit was there before the update. I have never noticed it. Should I care about it? ``` 1621:M 22 Oct 2023 19:22:27.005 * 10 changes in 300 seconds. Saving... 1621:M 22 Oct 2023 19:22:27.005 * Background saving started by pid 20255 20255:C 22 Oct 2023 19:22:27.034 * DB saved on disk 20255:C 22 Oct 2023 19:22:27.035 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB 1621:M 22 Oct 2023 19:22:27.105 * Background saving terminated with success 1621:M 22 Oct 2023 19:27:33.386 * 10 changes in 300 seconds. Saving... 1621:M 22 Oct 2023 19:27:33.386 * Background saving started by pid 20262 20262:C 22 Oct 2023 19:27:33.413 * DB saved on disk 20262:C 22 Oct 2023 19:27:33.414 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB 1621:M 22 Oct 2023 19:27:33.486 * Background saving terminated with success 1621:M 22 Oct 2023 19:32:34.050 * 10 changes in 300 seconds. Saving... 1621:M 22 Oct 2023 19:32:34.050 * Background saving started by pid 20788 20788:C 22 Oct 2023 19:32:34.078 * DB saved on disk 20788:C 22 Oct 2023 19:32:34.079 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB 1621:M 22 Oct 2023 19:32:34.150 * Background saving terminated with success 1621:M 22 Oct 2023 19:37:55.177 * 10 changes in 300 seconds. Saving... 1621:M 22 Oct 2023 19:37:55.177 * Background saving started by pid 21236 21236:C 22 Oct 2023 19:37:55.205 * DB saved on disk 21236:C 22 Oct 2023 19:37:55.205 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB 1621:M 22 Oct 2023 19:37:55.278 * Background saving terminated with success 1621:signal-handler (1697996373) Received SIGTERM scheduling shutdown... 1621:M 22 Oct 2023 19:39:33.401 # User requested shutdown... 1621:M 22 Oct 2023 19:39:33.401 * Saving the final RDB snapshot before exiting. 1621:M 22 Oct 2023 19:39:33.408 * DB saved on disk 1621:M 22 Oct 2023 19:39:33.408 * Removing the pid file. 1621:M 22 Oct 2023 19:39:33.408 * Removing the unix socket file. 1621:M 22 Oct 2023 19:39:33.408 # Redis is now ready to exit, bye bye... 21333:C 22 Oct 2023 19:39:33.434 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo 21333:C 22 Oct 2023 19:39:33.434 # Redis version=7.0.14, bits=64, commit=00000000, modified=0, pid=21333, just started 21333:C 22 Oct 2023 19:39:33.434 # Configuration loaded 21333:M 22 Oct 2023 19:39:33.434 * monotonic clock: POSIX clock_gettime _._ _.-``__ ''-._ _.-`` `. `_. ''-._ Redis 7.0.14 (00000000/0) 64 bit .-`` .-```. ```\/ _.,_ ''-._ ( ' , .-` | `, ) Running in standalone mode |`-._`-...-` __...-.``-._|'` _.-'| Port: 0 | `-._ `._ / _.-' | PID: 21333 `-._ `-._ `-./ _.-' _.-' |`-._`-._ `-.__.-' _.-'_.-'| | `-._`-._ _.-'_.-' | https://redis.io `-._ `-._`-.__.-'_.-' _.-' |`-._`-._ `-.__.-' _.-'_.-'| | `-._`-._ _.-'_.-' | `-._ `-._`-.__.-'_.-' _.-' `-._ `-.__.-' _.-' `-._ _.-' `-.__.-' 21333:M 22 Oct 2023 19:39:33.434 # Server initialized 21333:M 22 Oct 2023 19:39:33.434 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect. 21333:M 22 Oct 2023 19:39:33.434 * Loading RDB produced by version 7.0.11 21333:M 22 Oct 2023 19:39:33.434 * RDB age 0 seconds 21333:M 22 Oct 2023 19:39:33.434 * RDB memory usage when created 1.47 Mb 21333:M 22 Oct 2023 19:39:33.436 * Done loading RDB, keys loaded: 2446, keys expired: 0. 21333:M 22 Oct 2023 19:39:33.436 * DB loaded from disk: 0.001 seconds 21333:M 22 Oct 2023 19:39:33.436 * The server is now ready to accept connections at /tmp/redis.sock 21333:signal-handler (1697996588) Received SIGTERM scheduling shutdown... 21333:M 22 Oct 2023 19:43:08.529 # User requested shutdown... 21333:M 22 Oct 2023 19:43:08.529 * Saving the final RDB snapshot before exiting. 21333:M 22 Oct 2023 19:43:08.547 * DB saved on disk 21333:M 22 Oct 2023 19:43:08.547 * Removing the pid file. 21333:M 22 Oct 2023 19:43:08.547 * Removing the unix socket file. 21333:M 22 Oct 2023 19:43:08.547 # Redis is now ready to exit, bye bye... 1623:C 22 Oct 2023 19:45:19.878 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo 1623:C 22 Oct 2023 19:45:19.882 # Redis version=7.0.14, bits=64, commit=00000000, modified=0, pid=1623, just started 1623:C 22 Oct 2023 19:45:19.882 # Configuration loaded 1623:M 22 Oct 2023 19:45:19.883 * monotonic clock: POSIX clock_gettime _._ _.-``__ ''-._ _.-`` `. `_. ''-._ Redis 7.0.14 (00000000/0) 64 bit .-`` .-```. ```\/ _.,_ ''-._ ( ' , .-` | `, ) Running in standalone mode |`-._`-...-` __...-.``-._|'` _.-'| Port: 0 | `-._ `._ / _.-' | PID: 1623 `-._ `-._ `-./ _.-' _.-' |`-._`-._ `-.__.-' _.-'_.-'| | `-._`-._ _.-'_.-' | https://redis.io `-._ `-._`-.__.-'_.-' _.-' |`-._`-._ `-.__.-' _.-'_.-'| | `-._`-._ _.-'_.-' | `-._ `-._`-.__.-'_.-' _.-' `-._ `-.__.-' _.-' `-._ _.-' `-.__.-' 1623:M 22 Oct 2023 19:45:19.892 # Server initialized 1623:M 22 Oct 2023 19:45:19.892 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect. 1623:M 22 Oct 2023 19:45:19.893 * Loading RDB produced by version 7.0.14 1623:M 22 Oct 2023 19:45:19.893 * RDB age 131 seconds 1623:M 22 Oct 2023 19:45:19.893 * RDB memory usage when created 1.45 Mb 1623:M 22 Oct 2023 19:45:19.897 * Done loading RDB, keys loaded: 2444, keys expired: 1. 1623:M 22 Oct 2023 19:45:19.897 * DB loaded from disk: 0.004 seconds 1623:M 22 Oct 2023 19:45:19.897 * The server is now ready to accept connections at /tmp/redis.sock 1623:M 22 Oct 2023 19:50:20.008 * 10 changes in 300 seconds. Saving... 1623:M 22 Oct 2023 19:50:20.009 * Background saving started by pid 19091 19091:C 22 Oct 2023 19:50:20.037 * DB saved on disk 19091:C 22 Oct 2023 19:50:20.037 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB 1623:M 22 Oct 2023 19:50:20.109 * Background saving terminated with success ```
CC: (none) => chb0
MGA9-64 Xfce on Acer Aspire 5253 No installation issues No redis before on this machine, so nothing much to see. # systemctl start redis # systemctl -l status redis ● redis.service - Redis persistent key-value database Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; preset: disabled) Drop-In: /usr/lib/systemd/system/redis.service.d └─limit.conf Active: active (running) since Tue 2023-10-24 16:32:01 CEST; 14s ago Main PID: 59779 (redis-server) Tasks: 5 (limit: 4317) Memory: 2.7M CPU: 104ms CGroup: /system.slice/redis.service └─59779 "/usr/bin/redis-server 127.0.0.1:6379" Oct 24 16:32:01 mach7.hviaene.thuis systemd[1]: Started redis.service. Good enugh unless someone wants to delve deeper into this.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0301.html
Status: NEW => RESOLVEDResolution: (none) => FIXED