Fedora Linux 8488 Published by

A redis security update has been released for Fedora 37.



[SECURITY] Fedora 37 Update: redis-7.0.12-1.fc37


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2023-800612d23a
2023-07-19 04:20:09.559975
--------------------------------------------------------------------------------

Name : redis
Product : Fedora 37
Version : 7.0.12
Release : 1.fc37
URL : https://redis.io
Summary : A persistent key-value database
Description :
Redis is an advanced key-value store. It is often referred to as a data
structure server since keys can contain strings, hashes, lists, sets and
sorted sets.

You can run atomic operations on these types, like appending to a string;
incrementing the value in a hash; pushing to a list; computing set
intersection, union and difference; or getting the member with highest
ranking in a sorted set.

In order to achieve its outstanding performance, Redis works with an
in-memory dataset. Depending on your use case, you can persist it either
by dumping the dataset to disk every once in a while, or by appending
each command to a log.

Redis also supports trivial-to-setup master-slave replication, with very
fast non-blocking first synchronization, auto-reconnection on net split
and so forth.

Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
limited time-to-live, and configuration settings to make Redis behave like
a cache.

You can use Redis from most programming languages also.

--------------------------------------------------------------------------------
Update Information:

**Redis 7.0.12** - Released Mon July 10 12:00:00 IDT 2023 Upgrade urgency
SECURITY: See security fixes below. Security Fixes: * (**CVE-2022-24834**)
A specially crafted Lua script executing in Redis can trigger a heap
overflow in the cjson and cmsgpack libraries, and result in heap corruption
and potentially remote code execution. The problem exists in all versions of
Redis with Lua scripting support, starting from 2.6, and affects only
authenticated and authorized users. * (**CVE-2023-36824**) Extracting key
names from a command and a list of arguments may, in some cases, trigger a
heap overflow and result in reading random heap memory, heap corruption and
potentially remote code execution. Specifically: using COMMAND GETKEYS* and
validation of key names in ACL rules. Bug Fixes * Re-enable downscale
rehashing while there is a fork child (#12276) * Fix possible hang in
HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with `` (#12276) * Improve
fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and
eviction (#12276) * Fix WAIT to be effective after a blocked module command
being unblocked (#12220) * Avoid unnecessary full sync after master restart in a
rare case (#12088)
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jul 10 2023 Remi Collet [remi@remirepo.net] - 7.0.12-1
- Upstream 7.0.12 release.
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2221662 - CVE-2022-24834 redis: heap overflow in the lua cjson and cmsgpack libraries
https://bugzilla.redhat.com/show_bug.cgi?id=2221662
[ 2 ] Bug #2221664 - CVE-2023-36824 redis: heap overflow in COMMAND GETKEYS and ACL evaluation
https://bugzilla.redhat.com/show_bug.cgi?id=2221664
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2023-800612d23a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------