Synopsis
The remote openSUSE host is missing a security update.
Description
This update for redis fixes the following issues :
redis 6.0.13
- CVE-2021-29477: Integer overflow in STRALGO LCS command (boo#1185729)
- CVE-2021-29478: Integer overflow in COPY command for large intsets (boo#1185730)
- Cluster: Skip unnecessary check which may prevent failure detection
- Fix performance regression in BRPOP on Redis 6.0
- Fix edge-case when a module client is unblocked
redis 6.0.12 :
- Fix compilation error on non-glibc systems if jemalloc is not used
redis 6.0.11 :
- CVE-2021-21309: Avoid 32-bit overflows when proto-max-bulk-len is set high (boo#1182657)
- Fix handling of threaded IO and CLIENT PAUSE (failover), could lead to data loss or a crash
- Fix the selection of a random element from large hash tables
- Fix broken protocol in client tracking tracking-redir-broken message
- XINFO able to access expired keys on a replica
- Fix broken protocol in redis-benchmark when used with -a or --dbnum
- Avoid assertions (on older kernels) when testing arm64 CoW bug
- CONFIG REWRITE should honor umask settings
- Fix firstkey,lastkey,step in COMMAND command for some commands
- RM_ZsetRem: Delete key if empty, the bug could leave empty zset keys
redis 6.0.10 :
Command behavior changes :
- SWAPDB invalidates WATCHed keys (#8239)
- SORT command behaves differently when used on a writable replica (#8283)
- EXISTS should not alter LRU (#8016) In Redis 5.0 and 6.0 it would have touched the LRU/LFU of the key.
- OBJECT should not reveal logically expired keys (#8016) Will now behave the same TYPE or any other non-DEBUG command.
- GEORADIUS[BYMEMBER] can fail with -OOM if Redis is over the memory limit (#8107)
Other behavior changes :
- Sentinel: Fix missing updates to the config file after SENTINEL SET command (#8229)
- CONFIG REWRITE is atomic and safer, but requires write access to the config file's folder (#7824, #8051) This change was already present in 6.0.9, but was missing from the release notes.
Bug fixes with compatibility implications (bugs introduced in Redis 6.0) :
- Fix RDB CRC64 checksum on big-endian systems (#8270) If you're using big-endian please consider the compatibility implications with RESTORE, replication and persistence.
- Fix wrong order of key/value in Lua's map response (#8266) If your scripts use redis.setresp() or return a map (new in Redis 6.0), please consider the implications.
Bug fixes :
- Fix an issue where a forked process deletes the parent's pidfile (#8231)
- Fix crashes when enabling io-threads-do-reads (#8230)
- Fix a crash in redis-cli after executing cluster backup (#8267)
- Handle output buffer limits for module blocked clients (#8141) Could result in a module sending reply to a blocked client to go beyond the limit.
- Fix setproctitle related crashes. (#8150, #8088) Caused various crashes on startup, mainly on Apple M1 chips or under instrumentation.
- Backup/restore cluster mode keys to slots map for repl-diskless-load=swapdb (#8108) In cluster mode with repl-diskless-load, when loading failed, slot map wouldn't have been restored.
- Fix oom-score-adj-values range, and bug when used in config file (#8046) Enabling setting this in the config file in a line after enabling it, would have been buggy.
- Reset average ttl when empty databases (#8106) Just causing misleading metric in INFO
- Disable rehash when Redis has child process (#8007) This could have caused excessive CoW during BGSAVE, replication or AOFRW.
- Further improved ACL algorithm for picking categories (#7966) Output of ACL GETUSER is now more similar to the one provided by ACL SETUSER.
- Fix bug with module GIL being released prematurely (#8061) Could in theory (and rarely) cause multi-threaded modules to corrupt memory.
- Reduce effect of client tracking causing feedback loop in key eviction (#8100)
- Fix cluster access to unaligned memory (SIGBUS on old ARM) (#7958)
- Fix saving of strings larger than 2GB into RDB files (#8306)
Additional improvements :
- Avoid wasteful transient memory allocation in certain cases (#8286, #5954)
Platform / toolchain support related improvements :
- Fix crash log registers output on ARM. (#8020)
- Add a check for an ARM64 Linux kernel bug (#8224) Due to the potential severity of this issue, Redis will print log warning on startup.
- Raspberry build fix. (#8095)
New configuration options :
- oom-score-adj-values config can now take absolute values (besides relative ones) (#8046)
Module related fixes :
- Moved RMAPI_FUNC_SUPPORTED so that it's usable (#8037)
- Improve timer accuracy (#7987)
- Allow '\0' inside of result of RM_CreateStringPrintf (#6260)
redis 6.0.9 :
- potential heap overflow when using a heap allocator other than jemalloc or glibc's malloc. Does not affect the openSUSE package - boo#1178205
- Memory reporting of clients argv
- Add redis-cli control on raw format line delimiter
- Add redis-cli support for rediss:// -u prefix
- WATCH no longer ignores keys which have expired for MULTI/EXEC
- Correct OBJECT ENCODING response for stream type
- Allow blocked XREAD on a cluster replica
- TLS: Do not require CA config if not used
- multiple bug fixes
- Additions to modules API
redis 6.0.8 (jsc#PM-1615, jsc#PM-1622, jsc#PM-1681, jsc#ECO-2417, jsc#ECO-2867, jsc#PM-1547, jsc#CAPS-56, jsc#SLE-11578, jsc#SLE-12821) :
- bug fixes when using with Sentinel
- bug fixes when using CONFIG REWRITE
- Remove THP warning when set to madvise
- Allow EXEC with read commands on readonly replica in cluster
- Add masters/replicas options to redis-cli --cluster call command
- includes changes from 6.0.7 :
- CONFIG SET could hung the client when arrives during RDB/ROF loading
- LPOS command when RANK is greater than matches responded with broken protocol
- Add oom-score-adj configuration option to control Linux OOM killer
- Show IO threads statistics and status in INFO output
- Add optional tls verification mode (see tls-auth-clients)
redis 6.0.6 :
- Fix crash when enabling CLIENT TRACKING with prefix
- EXEC always fails with EXECABORT and multi-state is cleared
- RESTORE ABSTTL won't store expired keys into the db
- redis-cli better handling of non-pritable key names
- TLS: Ignore client cert when tls-auth-clients off
- Tracking: fix invalidation message on flush
- Notify systemd on Sentinel startup
- Fix crash on a misuse of STRALGO
- Few fixes in module API
- Fix a few rare leaks (STRALGO error misuse, Sentinel)
- Fix a possible invalid access in defrag of scripts
- Add LPOS command to search in a list
- Use user+pass for MIGRATE in redis-cli and redis-benchmark in cluster mode
- redis-cli support TLS for --pipe, --rdb and --replica options
- TLS: Session caching configuration support
redis 6.0.5 :
- Fix handling of speical chars in ACL LOAD
- Make Redis Cluster more robust about operation errors that may lead to two clusters to mix together
- Revert the sendfile() implementation of RDB transfer
- Fix TLS certificate loading for chained certificates
- Fix AOF rewirting of KEEPTTL SET option
- Fix MULTI/EXEC behavior during -BUSY script errors
Solution
Update the affected redis packages.
Plugin Details
File Name: openSUSE-2021-682.nasl
Agent: unix
Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:opensuse:redis, p-cpe:/a:novell:opensuse:redis-debuginfo, p-cpe:/a:novell:opensuse:redis-debugsource, cpe:/o:novell:opensuse:15.2
Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu
Exploit Ease: No known exploits are available
Patch Publication Date: 5/7/2021
Vulnerability Publication Date: 2/26/2021