Fedora Linux 8782 Published by

A redis security update has been released for Fedora 33.



SECURITY: Fedora 33 Update: redis-6.0.15-1.fc33


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2021-76cf1653b3
2021-08-01 04:04:30.838612
--------------------------------------------------------------------------------

Name : redis
Product : Fedora 33
Version : 6.0.15
Release : 1.fc33
URL :   https://redis.io
Summary : A persistent key-value database
Description :
Redis is an advanced key-value store. It is often referred to as a data
structure server since keys can contain strings, hashes, lists, sets and
sorted sets.

You can run atomic operations on these types, like appending to a string;
incrementing the value in a hash; pushing to a list; computing set
intersection, union and difference; or getting the member with highest
ranking in a sorted set.

In order to achieve its outstanding performance, Redis works with an
in-memory dataset. Depending on your use case, you can persist it either
by dumping the dataset to disk every once in a while, or by appending
each command to a log.

Redis also supports trivial-to-setup master-slave replication, with very
fast non-blocking first synchronization, auto-reconnection on net split
and so forth.

Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
limited time-to-live, and configuration settings to make Redis behave like
a cache.

You can use Redis from most programming languages also.

--------------------------------------------------------------------------------
Update Information:

** Redis 6.0.15** - Released Wed Jul 21 16:32:19 IDT 2021 Upgrade urgency:
SECURITY, contains fixes to security issues that affect authenticated client
connections on 32-bit versions. MODERATE otherwise. Fix integer overflow in
BITFIELD on 32-bit versions (**CVE-2021-32761**). An integer overflow bug in
Redis version 2.2 or newer can be exploited using the BITFIELD command to
corrupt the heap and potentially result with remote code execution. Bug fixes
that involve behavior changes: * Change reply type for ZPOPMAX/MIN with
count in RESP3 to nested array (#8981). Was using a flat array like in RESP2
instead of a nested array like ZRANGE does. Bug fixes: * Fail EXEC command
in case a watched key is expired (#9194) * Fix SMOVE not to invalidate dest
key (WATCH and tracking) when member already exists (#9244) * Fix SINTERSTORE
not to delete dest key when getting a wrong type error (#9032) * Fix
overflows on 32-bit versions in GETBIT, SETBIT, BITCOUNT, BITPOS, and BITFIELD
(#9191) * Set TCP keepalive on inbound cluster bus connections (#9230) *
Fix ziplist length updates on big-endian platforms (#2080) * Fix diskless
replica loading to recover from RDB short read on module AUX data (#9199) *
Fix race in client side tracking (#9116) * If diskless repl child is killed,
make sure to reap the child pid (#7742) * Add a timeout mechanism for
replicas stuck in fullsync (#8762) CLI tools: * redis-cli cluster import
support source and target that require auth (#7994) * redis-cli cluster
import command may issue wrong MIGRATE command, sending COPY instead of REPLACE
(#8945) * redis-cli support for RESP3 set type in CSV and RAW output (#7338)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 22 2021 Remi Collet - 6.0.15-1
- Upstream 6.0.15 release
- Fix CVE-2021-32761: 32-bit systems BITFIELD command integer overflow.
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #1985476 - CVE-2021-32761 redis: integer overflow issues with BITFIELD command on 32-bit systems
  https://bugzilla.redhat.com/show_bug.cgi?id=1985476
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-76cf1653b3' at the command
line. For more information, refer to the dnf documentation available at
  http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
  https://fedoraproject.org/keys