openSUSE-SU-2021:3772-1: important: Security update for redis
openSUSE Security Update: Security update for redis
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:3772-1
Rating: important
References: #1191299 #1191300 #1191302 #1191303 #1191304
#1191305 #1191306
Cross-References: CVE-2021-32626 CVE-2021-32627 CVE-2021-32628
CVE-2021-32672 CVE-2021-32675 CVE-2021-32687
CVE-2021-32762 CVE-2021-41099
CVSS scores:
CVE-2021-32626 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-32626 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-32627 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-32627 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-32628 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-32628 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-32672 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2021-32672 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2021-32675 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-32675 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-32687 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-32687 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-32762 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-32762 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-41099 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-41099 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes 8 vulnerabilities is now available.
Description:
This update for redis fixes the following issues:
- CVE-2021-32627: Fixed integer to heap buffer overflows with streams
(bsc#1191305).
- CVE-2021-32628: Fixed integer to heap buffer overflows handling
ziplist-encoded data types (bsc#1191305).
- CVE-2021-32687: Fixed integer to heap buffer overflow with intsets
(bsc#1191302).
- CVE-2021-32762: Fixed integer to heap buffer overflow issue in redis-cli
and redis-sentinel (bsc#1191300).
- CVE-2021-32626: Fixed heap buffer overflow caused by specially crafted
Lua scripts (bsc#1191306).
- CVE-2021-32672: Fixed random heap reading issue with Lua Debugger
(bsc#1191304).
- CVE-2021-32675: Fixed Denial Of Service when processing RESP request
payloads with a large number of elements on many connections
(bsc#1191303).
- CVE-2021-41099: Fixed integer to heap buffer overflow handling certain
string commands and network payloads (bsc#1191299).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-3772=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
redis-6.0.14-6.8.1
redis-debuginfo-6.0.14-6.8.1
redis-debugsource-6.0.14-6.8.1
References:
https://www.suse.com/security/cve/CVE-2021-32626.html
https://www.suse.com/security/cve/CVE-2021-32627.html
https://www.suse.com/security/cve/CVE-2021-32628.html
https://www.suse.com/security/cve/CVE-2021-32672.html
https://www.suse.com/security/cve/CVE-2021-32675.html
https://www.suse.com/security/cve/CVE-2021-32687.html
https://www.suse.com/security/cve/CVE-2021-32762.html
https://www.suse.com/security/cve/CVE-2021-41099.html
https://bugzilla.suse.com/1191299
https://bugzilla.suse.com/1191300
https://bugzilla.suse.com/1191302
https://bugzilla.suse.com/1191303
https://bugzilla.suse.com/1191304
https://bugzilla.suse.com/1191305
https://bugzilla.suse.com/1191306
A redis security update has been released for openSUSE Leap 15.3.
