| Message ID | 20220502101644.1595384-1-titouanchristophe@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [for,2022.02.x,1/1] package/redis: security bump to v6.2.7 | expand |
>>>>> "Titouan" == Titouan Christophe <titouanchristophe@gmail.com> writes: > From the release notes: > (https://github.com/redis/redis/blob/6.2.7/00-RELEASENOTES) > Upgrade urgency: SECURITY, contains fixes to security issues. > Security Fixes: > * (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script > can cause NULL pointer dereference which will result with a crash of the > redis-server process. This issue affects all versions of Redis. > [reported by Aviv Yahav]. > * (CVE-2022-24735) By exploiting weaknesses in the Lua script execution > environment, an attacker with access to Redis can inject Lua code that will > execute with the (potentially higher) privileges of another Redis user. > [reported by Aviv Yahav]. > Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com> Committed to 2022.02.x, thanks.
diff --git a/package/redis/redis.hash b/package/redis/redis.hash index 74a9392a63..6871a59041 100644 --- a/package/redis/redis.hash +++ b/package/redis/redis.hash @@ -1,5 +1,5 @@ # From https://github.com/redis/redis-hashes/blob/master/README -sha256 5b2b8b7a50111ef395bf1c1d5be11e6e167ac018125055daa8b5c2317ae131ab redis-6.2.6.tar.gz +sha256 b7a79cc3b46d3c6eb52fa37dde34a4a60824079ebdfb3abfbbfa035947c55319 redis-6.2.7.tar.gz # Locally calculated sha256 97f0a15b7bbae580d2609dad2e11f1956ae167be296ab60f4691ab9c30ee9828 COPYING diff --git a/package/redis/redis.mk b/package/redis/redis.mk index f3c030d68c..fb7f653742 100644 --- a/package/redis/redis.mk +++ b/package/redis/redis.mk @@ -4,7 +4,7 @@ # ################################################################################ -REDIS_VERSION = 6.2.6 +REDIS_VERSION = 6.2.7 REDIS_SITE = http://download.redis.io/releases REDIS_LICENSE = BSD-3-Clause (core); MIT and BSD family licenses (Bundled components) REDIS_LICENSE_FILES = COPYING
From the release notes: (https://github.com/redis/redis/blob/6.2.7/00-RELEASENOTES) Upgrade urgency: SECURITY, contains fixes to security issues. Security Fixes: * (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. This issue affects all versions of Redis. [reported by Aviv Yahav]. * (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. [reported by Aviv Yahav]. Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com> --- package/redis/redis.hash | 2 +- package/redis/redis.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)