Описание
Security update for redis
This update for redis fixes the following issues:
- CVE-2022-36021: Fixed integer overflow in RANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands (bsc#1208790).
- CVE-2023-25155: Fixed integer Overflow in RAND commands can lead to assertion (bsc#1208793).
The following non-security bug was fixed:
- Fixed redis-sentinel not starting due to the hardening in the systemd service (bsc#1208235).
Список пакетов
SUSE Linux Enterprise Module for Server Applications 15 SP4
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2023:0694-1
- E-Mail link for SUSE-SU-2023:0694-1
- SUSE Security Ratings
- SUSE Bug 1208235
- SUSE Bug 1208790
- SUSE Bug 1208793
- SUSE CVE CVE-2022-36021 page
- SUSE CVE CVE-2023-25155 page
Описание
Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9.
Затронутые продукты
Ссылки
- CVE-2022-36021
- SUSE Bug 1208790
- SUSE Bug 1208793
Описание
Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. This problem affects all Redis versions. Patches were released in Redis version(s) 6.0.18, 6.2.11 and 7.0.9.
Затронутые продукты
Ссылки
- CVE-2023-25155
- SUSE Bug 1208790
- SUSE Bug 1208793