Redis 6.0.13 Released Mon May 3 19:00:00 IST 2021
Upgrade urgency: SECURITY, Contains fixes to security issues that affect authenticated client connections. LOW otherwise.
Integer overflow in STRALGO LCS command (CVE-2021-29477): An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. The integer overflow bug exists in all versions of Redis starting with 6.0.
Integer overflow in COPY command for large intsets (CVE-2021-29478): An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it. The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2).
Bug fixes:
Improvements:
Modules:
sudo dnf upgrade --refresh --advisory=FEDORA-2021-8b19c99d6aPlease login to add feedback.
This update has been submitted for testing by remi.
This update's test gating status has been changed to 'ignored'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
remi edited this update.
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by bodhi.
This update has been pushed to stable.