Bug 33924 - redis new security issues CVE-2024-46981 and CVE-2024-51741
Summary: redis new security issues CVE-2024-46981 and CVE-2024-51741
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-01-15 15:32 CET by Nicolas Salguero
Modified: 2025-02-03 20:58 CET (History)
3 users (show)

See Also:
Source RPM: redis-7.0.14-1.1.mga9.src.rpm
CVE: CVE-2024-46981, CVE-2024-51741
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-01-15 15:32:57 CET

CVE: (none) => CVE-2024-46981, CVE-2024-51741
Source RPM: (none) => redis-7.0.14-1.1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 7.2.7

Comment 1 Lewis Smith 2025-01-26 20:18:47 CET 
In the 7.2.x series, we have up to version 7.2.4 in Cauldron.
Stig was committing those, so assigning to you.

Assignee: bugsquad => smelror

Comment 2 Nicolas Salguero 2025-01-31 15:11:13 CET 
Debian has issued an advisory on January 30:
https://lists.debian.org/debian-security-announce/2025/msg00018.html
Comment 3 Nicolas Salguero 2025-01-31 15:23:05 CET 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Redis' Lua library commands may lead to remote code execution. (CVE-2024-46981)

Redis allows denial-of-service due to malformed ACL selectors. (CVE-2024-51741)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HQU52SRIF5TB4GL3LJOHKX2MUHXNHH6/
https://lists.debian.org/debian-security-announce/2025/msg00018.html
========================

Updated package in core/updates_testing:
========================
redis-7.0.14-1.2.mga9

from SRPM:
redis-7.0.14-1.2.mga9.src.rpm

Status comment: Fixed upstream in 7.2.7 => (none)
Status: NEW => ASSIGNED
Assignee: smelror => qa-bugs

katnatek 2025-01-31 18:45:46 CET

Keywords: (none) => advisory

Comment 4 katnatek 2025-02-02 19:43:29 CET 
RH x86_64

installing redis-7.0.14-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: redis                 ##################################################################################################
      1/1: removing redis-7.0.14-1.1.mga9.x86_64
                                 ##################################################################################################

systemctl start redis.service 
systemctl status redis.service 
redis.service - Redis persistent key-value database
     Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/redis.service.d
             └─limit.conf
     Active: active (running) since Sun 2025-02-02 12:41:17 CST; 8s ago
   Main PID: 53706 (redis-server)
      Tasks: 5 (limit: 6903)
     Memory: 2.8M
        CPU: 23ms
     CGroup: /system.slice/redis.service
             └─53706 "/usr/bin/redis-server 127.0.0.1:6379"

feb 02 12:41:17 jgrey.phoenix systemd[1]: Started redis.service.


OK in base previous round https://bugs.mageia.org/show_bug.cgi?id=33643#c4

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 5 Len Lawrence 2025-02-02 20:11:20 CET 
Oops - mid-air collision ***&!

    mga9, x86_64
    Referring back to previous redis tests for testing; e.g. https://bugs.mageia.org/show_bug.cgi?id=19158

    Search for reproducers came up empty.
    Went ahead with the update - OK.

    Started the redis server and ran the earlier tutorial script from the command-line.
    $ redis-cli < tutorialOK
    "rapunzel"
    OK
    (integer) 8
    (integer) 9
    "9"
    (integer) 1
    (integer) 1
    OK
    (integer) 1
    (integer) 40
    (integer) 40
    (integer) 40
    OK
    (integer) 4
    (integer) 5
    (integer) 6
    1) "Polly"
    2) "Polly"
    3) "Sukie"
    4) "Zack"
    5) "Sukie"
    6) "Zack"
    1) "Polly"
    2) "Polly"
    1) "Polly"
    2) "Sukie"

    Switched to interactive mode:
    $ redis-cli
    127.0.0.1:6379> get server:name
    "rapunzel"
    127.0.0.1:6379> exit

    Installed ntopng, which requires redis, then ran ntopng as root.
    # ntopng -i enp2s0 > ntopng.session
    ^C
    # file ntopng.session
    ntopng.session: HTML document, ASCII text

    # less ntopng.session:
    02/Feb/2025 18:56:20 [Ntop.cpp:2336] Setting local networks to 127.0.0.0/8,fe80::/10
    02/Feb/2025 18:56:20 [Redis.cpp:157] Successfully connected to redis 127.0.0.1:6379@0
    02/Feb/2025 18:56:20 [Redis.cpp:157] Successfully connected to redis 127.0.0.1:6379@0
    02/Feb/2025 18:56:20 [PcapInterface.cpp:93] Reading packets from enp2s0 [id: 0]
    02/Feb/2025 18:56:20 [Ntop.cpp:2441] Registered interface enp2s0 [id: 0]
    02/Feb/2025 18:56:20 [main.cpp:312] PID stored in file /var/run/ntopng/ntopng.pid
    02/Feb/2025 18:56:20 [Geolocation.cpp:107] Running without geolocation support.
    02/Feb/2025 18:56:20 [Geolocation.cpp:108] To enable geolocation follow the instructions at
    02/Feb/2025 18:56:20 [Geolocation.cpp:109] https://github.com/ntop/ntopng/blob/dev/doc/README.geolocation.md
    02/Feb/2025 18:56:20 [HTTPserver.cpp:1529] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts]
    02/Feb/2025 18:56:20 [HTTPserver.cpp:1532] HTTP server listening on 3000
    02/Feb/2025 18:56:20 [Utils.cpp:764] User changed to ntopng
    02/Feb/2025 18:56:20 [NetworkInterface.cpp:2593] Started flow user script hooks loop on interface enp2s0 [id: 0]...
    02/Feb/2025 18:56:20 [main.cpp:382] Working directory: /var/lib/ntopng
    02/Feb/2025 18:56:20 [main.cpp:384] Scripts/HTML pages directory: /usr/share/ntopng
    02/Feb/2025 18:56:20 [Ntop.cpp:440] Welcome to ntopng x86_64 v.4.2.220416 - (C) 1998-20 ntop.org
    02/Feb/2025 18:56:20 [Ntop.cpp:841] Adding 192.168.1.157/32 as IPv4 interface address for enp2s0
    02/Feb/2025 18:56:20 [Ntop.cpp:850] Adding 192.168.1.0/24 as IPv4 local network for enp2s0
    02/Feb/2025 18:56:20 [Ntop.cpp:872] Adding fe80::642:1aff:fec9:9378/128 as IPv6 interface address for enp2s0
    02/Feb/2025 18:56:20 [Ntop.cpp:882] Adding fe80::642:1aff:fec9:9378/64 as IPv6 local network for enp2s0
    02/Feb/2025 18:56:20 [PeriodicActivities.cpp:109] Started periodic activities loop...
    02/Feb/2025 18:56:21 [startup.lua:50] Processing startup.lua: please hold on...
    02/Feb/2025 18:56:22 [startup.lua:144] [lists_utils.lua:758] Refreshing category lists...
    02/Feb/2025 18:56:22 [startup.lua:144] [lists_utils.lua:621] WARNING: List 'SSLBL Botnet C2 IP Blacklist' has 0 rules. Please report this to https://github.com/ntop/ntopng
    02/Feb/2025 18:56:22 [startup.lua:144] [lists_utils.lua:460] WARNING: Invalid domain '<!DOCTYPE html>' in list 'Snort IP Blacklist'
    [...]
    # exit

    Logged out at this point then logged back in.
    $ sudo systemctl status redis
    ● redis.service - Redis persistent key-value database
         Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; preset: d>
        Drop-In: /usr/lib/systemd/system/redis.service.d
                 └─limit.conf
         Active: active (running) since Sun 2025-02-02 16:44:13 GMT; 2h 25min ago

    Demonstrated persistence:
    $ redis-cli
    127.0.0.1:6379> get server:name

    Giving this an OK.

    "rapunzel"
    127.0.0.1:6379> exit

CC: (none) => tarazed25

Comment 6 Len Lawrence 2025-02-03 12:44:46 CET 
We can validate this for 64-bit.
Comment 7 Thomas Andrews 2025-02-03 14:19:42 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2025-02-03 20:58:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0033.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.