stable

redis-6.2.7-1.fc35

FEDORA-2022-44373f6778 created by remi 11 months ago for Fedora 35

Redis 6.2.7 - Released Wed Apr 27 12:00:00 IDT 2022

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

  • (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. This issue affects all versions of Redis. [reported by Aviv Yahav].
  • (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. [reported by Aviv Yahav].

Potentially Breaking Fixes

  • LPOP/RPOP with count against non-existing list return null array (#10095)
  • LPOP/RPOP used to produce wrong replies when count is 0 (#9692)

Performance and resource utilization improvements

  • Speed optimization in command execution pipeline (#10502)
  • Fix regression in Z[REV]RANGE commands (by-rank) introduced in Redis 6.2 (#10337)

Platform / toolchain support related improvements

  • Fix RSS metrics on NetBSD and OpenBSD (#10116, #10149)
  • Fix OpenSSL 3.0.x related issues (#10291)

Bug Fixes

  • Lua: Add checks for min-slave-* configs when evaluating Lua scripts (#10160)
  • Lua: fix crash on a script call with many arguments, a regression in v6.2.6 (#9809)
  • Tracking: Make invalidation messages always after command's reply (#9422)
  • Fix excessive stream trimming due to an overflow (#10068)
  • Add missed error counting for INFO errorstats (#9646)
  • Fix geo search bounding box check causing missing results (#10018)
  • Improve EXPIRE TTL overflow detection (#9839)
  • Modules: Fix thread safety violation when a module thread adds an error reply, broken in 6.2 (#10278)
  • Modules: Fix missing and duplicate error stats (#10278)
  • Module APIs: release clients blocked on module commands in cluster resharding and down state (#9483)
  • Sentinel: Fix memory leak with TLS (#9753)
  • Sentinel: Fix issues with hostname support (#10146)
  • Sentinel: Fix election failures on certain container environments (#10197)

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2022-44373f6778

This update has been submitted for testing by remi.

11 months ago

This update's test gating status has been changed to 'ignored'.

11 months ago

This update has been pushed to testing.

11 months ago

remi edited this update.

10 months ago

This update has been submitted for stable by bodhi.

10 months ago

This update has been pushed to stable.

10 months ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
11 months ago
in testing
11 months ago
in stable
10 months ago
modified
10 months ago
BZ#2080286 CVE-2022-24735 redis: Code injection via Lua script execution environment
0
0
BZ#2080287 CVE-2022-24735 redis: Code injection via Lua script execution environment [fedora-all]
0
0
BZ#2080289 CVE-2022-24736 redis: Malformed Lua script can crash Redis
0
0
BZ#2080290 CVE-2022-24736 redis: Malformed Lua script can crash Redis [fedora-all]
0
0

Automated Test Results