Описание
Security update for redis
This update for redis fixes the following issues:
- Upgrade to 6.0.14
- CVE-2021-32625: An integer overflow bug could be exploited by using the STRALGO LCS command to cause remote remote code execution (bsc#1186722)
- Fix crash in UNLINK on a stream key with deleted consumer groups
- SINTERSTORE: Add missing keyspace del event when none of the sources exist
Список пакетов
SUSE Linux Enterprise Module for Server Applications 15 SP2
SUSE Linux Enterprise Module for Server Applications 15 SP3
Ссылки
- Link for SUSE-SU-2021:2294-1
- E-Mail link for SUSE-SU-2021:2294-1
- SUSE Security Ratings
- SUSE Bug 1186722
- SUSE CVE CVE-2021-32625 page
Описание
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer, could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the STRALGO LCS command. On 64 bit systems which have the fixes of CVE-2021-29477 (6.2.3 or 6.0.13), it is sufficient to make sure that the proto-max-bulk-len config parameter is smaller than 2GB (default is 512MB).
Затронутые продукты
Ссылки
- CVE-2021-32625
- SUSE Bug 1186722