Detections
Analytics

openSUSE Security Update : redis (openSUSE-2021-682)

high Nessus Plugin ID 149549

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for redis fixes the following issues :

redis 6.0.13

 - CVE-2021-29477: Integer overflow in STRALGO LCS command (boo#1185729)

 - CVE-2021-29478: Integer overflow in COPY command for large intsets (boo#1185730)

 - Cluster: Skip unnecessary check which may prevent failure detection

 - Fix performance regression in BRPOP on Redis 6.0

 - Fix edge-case when a module client is unblocked

redis 6.0.12 :

 - Fix compilation error on non-glibc systems if jemalloc is not used

redis 6.0.11 :

 - CVE-2021-21309: Avoid 32-bit overflows when proto-max-bulk-len is set high (boo#1182657)

 - Fix handling of threaded IO and CLIENT PAUSE (failover), could lead to data loss or a crash

 - Fix the selection of a random element from large hash tables

 - Fix broken protocol in client tracking tracking-redir-broken message

 - XINFO able to access expired keys on a replica

 - Fix broken protocol in redis-benchmark when used with -a or --dbnum

- Avoid assertions (on older kernels) when testing arm64 CoW bug

 - CONFIG REWRITE should honor umask settings

 - Fix firstkey,lastkey,step in COMMAND command for some commands

 - RM_ZsetRem: Delete key if empty, the bug could leave empty zset keys

redis 6.0.10 :

Command behavior changes :

 - SWAPDB invalidates WATCHed keys (#8239)

 - SORT command behaves differently when used on a writable replica (#8283)

 - EXISTS should not alter LRU (#8016) In Redis 5.0 and 6.0 it would have touched the LRU/LFU of the key.

 - OBJECT should not reveal logically expired keys (#8016) Will now behave the same TYPE or any other non-DEBUG command.

 - GEORADIUS[BYMEMBER] can fail with -OOM if Redis is over the memory limit (#8107)

Other behavior changes :

 - Sentinel: Fix missing updates to the config file after SENTINEL SET command (#8229)

 - CONFIG REWRITE is atomic and safer, but requires write access to the config file's folder (#7824, #8051) This change was already present in 6.0.9, but was missing from the release notes.

Bug fixes with compatibility implications (bugs introduced in Redis 6.0) :

 - Fix RDB CRC64 checksum on big-endian systems (#8270) If you're using big-endian please consider the compatibility implications with RESTORE, replication and persistence.

 - Fix wrong order of key/value in Lua's map response (#8266) If your scripts use redis.setresp() or return a map (new in Redis 6.0), please consider the implications.

Bug fixes :

 - Fix an issue where a forked process deletes the parent's pidfile (#8231)

 - Fix crashes when enabling io-threads-do-reads (#8230)

 - Fix a crash in redis-cli after executing cluster backup (#8267)

 - Handle output buffer limits for module blocked clients (#8141) Could result in a module sending reply to a blocked client to go beyond the limit.

 - Fix setproctitle related crashes. (#8150, #8088) Caused various crashes on startup, mainly on Apple M1 chips or under instrumentation.

 - Backup/restore cluster mode keys to slots map for repl-diskless-load=swapdb (#8108) In cluster mode with repl-diskless-load, when loading failed, slot map wouldn't have been restored.

 - Fix oom-score-adj-values range, and bug when used in config file (#8046) Enabling setting this in the config file in a line after enabling it, would have been buggy.

 - Reset average ttl when empty databases (#8106) Just causing misleading metric in INFO

 - Disable rehash when Redis has child process (#8007) This could have caused excessive CoW during BGSAVE, replication or AOFRW.

 - Further improved ACL algorithm for picking categories (#7966) Output of ACL GETUSER is now more similar to the one provided by ACL SETUSER.

 - Fix bug with module GIL being released prematurely (#8061) Could in theory (and rarely) cause multi-threaded modules to corrupt memory.

 - Reduce effect of client tracking causing feedback loop in key eviction (#8100)

 - Fix cluster access to unaligned memory (SIGBUS on old ARM) (#7958)

 - Fix saving of strings larger than 2GB into RDB files (#8306)

Additional improvements :

 - Avoid wasteful transient memory allocation in certain cases (#8286, #5954)

Platform / toolchain support related improvements :

 - Fix crash log registers output on ARM. (#8020)

 - Add a check for an ARM64 Linux kernel bug (#8224) Due to the potential severity of this issue, Redis will print log warning on startup.

 - Raspberry build fix. (#8095)

New configuration options :

 - oom-score-adj-values config can now take absolute values (besides relative ones) (#8046)

Module related fixes :

 - Moved RMAPI_FUNC_SUPPORTED so that it's usable (#8037)

 - Improve timer accuracy (#7987)

 - Allow '\0' inside of result of RM_CreateStringPrintf (#6260)

redis 6.0.9 :

 - potential heap overflow when using a heap allocator other than jemalloc or glibc's malloc. Does not affect the openSUSE package - boo#1178205

- Memory reporting of clients argv

 - Add redis-cli control on raw format line delimiter

 - Add redis-cli support for rediss:// -u prefix

 - WATCH no longer ignores keys which have expired for MULTI/EXEC

 - Correct OBJECT ENCODING response for stream type

 - Allow blocked XREAD on a cluster replica

 - TLS: Do not require CA config if not used

 - multiple bug fixes

 - Additions to modules API

redis 6.0.8 (jsc#PM-1615, jsc#PM-1622, jsc#PM-1681, jsc#ECO-2417, jsc#ECO-2867, jsc#PM-1547, jsc#CAPS-56, jsc#SLE-11578, jsc#SLE-12821) :

 - bug fixes when using with Sentinel

 - bug fixes when using CONFIG REWRITE

 - Remove THP warning when set to madvise

 - Allow EXEC with read commands on readonly replica in cluster

 - Add masters/replicas options to redis-cli --cluster call command

 - includes changes from 6.0.7 :

 - CONFIG SET could hung the client when arrives during RDB/ROF loading

 - LPOS command when RANK is greater than matches responded with broken protocol

 - Add oom-score-adj configuration option to control Linux OOM killer

 - Show IO threads statistics and status in INFO output

 - Add optional tls verification mode (see tls-auth-clients)

redis 6.0.6 :

 - Fix crash when enabling CLIENT TRACKING with prefix

 - EXEC always fails with EXECABORT and multi-state is cleared

 - RESTORE ABSTTL won't store expired keys into the db

 - redis-cli better handling of non-pritable key names

 - TLS: Ignore client cert when tls-auth-clients off

 - Tracking: fix invalidation message on flush

 - Notify systemd on Sentinel startup

 - Fix crash on a misuse of STRALGO

 - Few fixes in module API

 - Fix a few rare leaks (STRALGO error misuse, Sentinel)

 - Fix a possible invalid access in defrag of scripts

 - Add LPOS command to search in a list

 - Use user+pass for MIGRATE in redis-cli and redis-benchmark in cluster mode

 - redis-cli support TLS for --pipe, --rdb and --replica options

 - TLS: Session caching configuration support

redis 6.0.5 :

 - Fix handling of speical chars in ACL LOAD

 - Make Redis Cluster more robust about operation errors that may lead to two clusters to mix together

 - Revert the sendfile() implementation of RDB transfer

 - Fix TLS certificate loading for chained certificates

 - Fix AOF rewirting of KEEPTTL SET option

 - Fix MULTI/EXEC behavior during -BUSY script errors

Solution

Update the affected redis packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1182657

https://bugzilla.opensuse.org/show_bug.cgi?id=1185729

https://bugzilla.opensuse.org/show_bug.cgi?id=1185730

https://jira.suse.com/browse/ECO-2417

https://jira.suse.com/browse/ECO-2867

https://jira.suse.com/browse/PM-1547

https://jira.suse.com/browse/PM-1615

https://jira.suse.com/browse/PM-1622

https://jira.suse.com/browse/PM-1681

https://jira.suse.com/browse/SLE-11578

https://jira.suse.com/browse/SLE-12821

https://bugzilla.opensuse.org/show_bug.cgi?id=1178205

Plugin Details

Severity: High

ID: 149549

File Name: openSUSE-2021-682.nasl

Version: 1.3

Type: local

Agent: unix

Published: 5/18/2021

Updated: 1/1/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-29477

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2021-29478

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:redis, p-cpe:/a:novell:opensuse:redis-debuginfo, p-cpe:/a:novell:opensuse:redis-debugsource, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/7/2021

Vulnerability Publication Date: 2/26/2021

Reference Information

CVE: CVE-2021-21309, CVE-2021-29477, CVE-2021-29478