| Message ID | 20230605062451.405573-1-titouanchristophe@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/redis: security bump to v7.0.11 | expand |
Hello Peter, This patch is also valid for 2023.02, could you please apply it there too ? Best regards, Titouan On 5/06/23 08:24, Titouan Christophe wrote: > From the release notes > (see https://github.com/redis/redis/blob/7.0/00-RELEASENOTES): > > ================================================================================ > Redis 7.0.11 Released Mon Apr 17 16:00:00 IST 2023 > ================================================================================ > > Upgrade urgency: SECURITY, contains fixes to security issues. > > Security Fixes: > * (CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create > an invalid hash field that will crash Redis on access > > ... > > ================================================================================ > Redis 7.0.10 Released Mon Mar 20 16:00:00 IST 2023 > ================================================================================ > > Upgrade urgency: SECURITY, contains fixes to security issues. > > Security Fixes: > * (CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service > > ... > > ================================================================================ > Redis 7.0.9 Released Tue Feb 28 12:00:00 IST 2023 > ================================================================================ > > Upgrade urgency: SECURITY, contains fixes to security issues. > > Security Fixes: > * (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD > commands can trigger an integer overflow, resulting in a runtime assertion > and termination of the Redis server process. > * (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially > crafted pattern to trigger a denial-of-service attack on Redis, causing it to > hang and consume 100% CPU time. > > ... > > ================================================================================ > Redis 7.0.8 Released Mon Jan 16 12:00:00 IDT 2023 > ================================================================================ > > Upgrade urgency: SECURITY, contains fixes to security issues. > > Security Fixes: > * (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO > commands can drive Redis to OOM panic > * (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER > commands can lead to denial-of-service > > ... > > Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com> > --- > package/redis/redis.hash | 2 +- > package/redis/redis.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/redis/redis.hash b/package/redis/redis.hash > index eb8c21be98..69bfc1475f 100644 > --- a/package/redis/redis.hash > +++ b/package/redis/redis.hash > @@ -1,5 +1,5 @@ > # From https://github.com/redis/redis-hashes/blob/master/README > -sha256 8d327d7e887d1bb308fc37aaf717a0bf79f58129e3739069aaeeae88955ac586 redis-7.0.7.tar.gz > +sha256 ce250d1fba042c613de38a15d40889b78f7cb6d5461a27e35017ba39b07221e3 redis-7.0.11.tar.gz > > # Locally calculated > sha256 97f0a15b7bbae580d2609dad2e11f1956ae167be296ab60f4691ab9c30ee9828 COPYING > diff --git a/package/redis/redis.mk b/package/redis/redis.mk > index b08be11538..e5d3de8eb9 100644 > --- a/package/redis/redis.mk > +++ b/package/redis/redis.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -REDIS_VERSION = 7.0.7 > +REDIS_VERSION = 7.0.11 > REDIS_SITE = http://download.redis.io/releases > REDIS_LICENSE = BSD-3-Clause (core); MIT and BSD family licenses (Bundled components) > REDIS_LICENSE_FILES = COPYING
>>>>> "Titouan" == Titouan Christophe <titouanchristophe@gmail.com> writes: > From the release notes > (see https://github.com/redis/redis/blob/7.0/00-RELEASENOTES): Committed, thanks.
>>>>> "Titouan" == Titouan Christophe <titouanchristophe@gmail.com> writes: > Hello Peter, > This patch is also valid for 2023.02, could you please apply it there too ? Yes, I will take care of it when synching 2023.02 with fixes from master. I am currently running a few weeks behind though.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: >>>>> "Titouan" == Titouan Christophe <titouanchristophe@gmail.com> writes: >> Hello Peter, >> This patch is also valid for 2023.02, could you please apply it there too ? > Yes, I will take care of it when synching 2023.02 with fixes from > master. I am currently running a few weeks behind though. Committed to 2023.02.x, thanks.
diff --git a/package/redis/redis.hash b/package/redis/redis.hash index eb8c21be98..69bfc1475f 100644 --- a/package/redis/redis.hash +++ b/package/redis/redis.hash @@ -1,5 +1,5 @@ # From https://github.com/redis/redis-hashes/blob/master/README -sha256 8d327d7e887d1bb308fc37aaf717a0bf79f58129e3739069aaeeae88955ac586 redis-7.0.7.tar.gz +sha256 ce250d1fba042c613de38a15d40889b78f7cb6d5461a27e35017ba39b07221e3 redis-7.0.11.tar.gz # Locally calculated sha256 97f0a15b7bbae580d2609dad2e11f1956ae167be296ab60f4691ab9c30ee9828 COPYING diff --git a/package/redis/redis.mk b/package/redis/redis.mk index b08be11538..e5d3de8eb9 100644 --- a/package/redis/redis.mk +++ b/package/redis/redis.mk @@ -4,7 +4,7 @@ # ################################################################################ -REDIS_VERSION = 7.0.7 +REDIS_VERSION = 7.0.11 REDIS_SITE = http://download.redis.io/releases REDIS_LICENSE = BSD-3-Clause (core); MIT and BSD family licenses (Bundled components) REDIS_LICENSE_FILES = COPYING
From the release notes (see https://github.com/redis/redis/blob/7.0/00-RELEASENOTES): ================================================================================ Redis 7.0.11 Released Mon Apr 17 16:00:00 IST 2023 ================================================================================ Upgrade urgency: SECURITY, contains fixes to security issues. Security Fixes: * (CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access ... ================================================================================ Redis 7.0.10 Released Mon Mar 20 16:00:00 IST 2023 ================================================================================ Upgrade urgency: SECURITY, contains fixes to security issues. Security Fixes: * (CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service ... ================================================================================ Redis 7.0.9 Released Tue Feb 28 12:00:00 IST 2023 ================================================================================ Upgrade urgency: SECURITY, contains fixes to security issues. Security Fixes: * (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. * (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. ... ================================================================================ Redis 7.0.8 Released Mon Jan 16 12:00:00 IDT 2023 ================================================================================ Upgrade urgency: SECURITY, contains fixes to security issues. Security Fixes: * (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic * (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service ... Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com> --- package/redis/redis.hash | 2 +- package/redis/redis.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)