SUSE 5181 Published by

A redis security update has been released for openSUSE 15.2.



openSUSE-SU-2021:0682-1: important: Security update for redis


openSUSE Security Update: Security update for redis
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:0682-1
Rating: important
References: #1178205 #1182657 #1185729 #1185730 ECO-2417
ECO-2867 PM-1547 PM-1615 PM-1622 PM-1681
SLE-11578 SLE-12821
Cross-References: CVE-2021-21309 CVE-2021-29477 CVE-2021-29478

CVSS scores:
CVE-2021-21309 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-21309 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
CVE-2021-29477 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-29478 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that solves three vulnerabilities, contains 8
features and has one errata is now available.

Description:

This update for redis fixes the following issues:

redis 6.0.13

* CVE-2021-29477: Integer overflow in STRALGO LCS command (boo#1185729)
* CVE-2021-29478: Integer overflow in COPY command for large intsets
(boo#1185730)
* Cluster: Skip unnecessary check which may prevent failure detection
* Fix performance regression in BRPOP on Redis 6.0
* Fix edge-case when a module client is unblocked

redis 6.0.12:

* Fix compilation error on non-glibc systems if jemalloc is not used

redis 6.0.11:

* CVE-2021-21309: Avoid 32-bit overflows when proto-max-bulk-len is set
high (boo#1182657)
* Fix handling of threaded IO and CLIENT PAUSE (failover), could lead to
data loss or a crash
* Fix the selection of a random element from large hash tables
* Fix broken protocol in client tracking tracking-redir-broken message
* XINFO able to access expired keys on a replica
* Fix broken protocol in redis-benchmark when used with -a or --dbnum
* Avoid assertions (on older kernels) when testing arm64 CoW bug
* CONFIG REWRITE should honor umask settings
* Fix firstkey,lastkey,step in COMMAND command for some commands
* RM_ZsetRem: Delete key if empty, the bug could leave empty zset keys

redis 6.0.10:

Command behavior changes:

* SWAPDB invalidates WATCHed keys (#8239)
* SORT command behaves differently when used on a writable replica (#8283)
* EXISTS should not alter LRU (#8016) In Redis 5.0 and 6.0 it would have
touched the LRU/LFU of the key.
* OBJECT should not reveal logically expired keys (#8016) Will now behave
the same TYPE or any other non-DEBUG command.
* GEORADIUS[BYMEMBER] can fail with -OOM if Redis is over the memory limit
(#8107)

Other behavior changes:

* Sentinel: Fix missing updates to the config file after SENTINEL SET
command (#8229)
* CONFIG REWRITE is atomic and safer, but requires write access to the
config file's folder (#7824, #8051) This change was already present in
6.0.9, but was missing from the release notes.

Bug fixes with compatibility implications (bugs introduced in Redis 6.0):

* Fix RDB CRC64 checksum on big-endian systems (#8270) If you're using
big-endian please consider the compatibility implications with RESTORE,
replication and persistence.
* Fix wrong order of key/value in Lua's map response (#8266) If your
scripts use redis.setresp() or return a map (new in Redis 6.0), please
consider the implications.

Bug fixes:

* Fix an issue where a forked process deletes the parent's pidfile (#8231)
* Fix crashes when enabling io-threads-do-reads (#8230)
* Fix a crash in redis-cli after executing cluster backup (#8267)
* Handle output buffer limits for module blocked clients (#8141) Could
result in a module sending reply to a blocked client to go beyond the
limit.
* Fix setproctitle related crashes. (#8150, #8088) Caused various crashes
on startup, mainly on Apple M1 chips or under instrumentation.
* Backup/restore cluster mode keys to slots map for
repl-diskless-load=swapdb (#8108) In cluster mode with
repl-diskless-load, when loading failed, slot map wouldn't have been
restored.
* Fix oom-score-adj-values range, and bug when used in config file (#8046)
Enabling setting this in the config file in a line after enabling it,
would have been buggy.
* Reset average ttl when empty databases (#8106) Just causing misleading
metric in INFO
* Disable rehash when Redis has child process (#8007) This could have
caused excessive CoW during BGSAVE, replication or AOFRW.
* Further improved ACL algorithm for picking categories (#7966) Output of
ACL GETUSER is now more similar to the one provided by ACL SETUSER.
* Fix bug with module GIL being released prematurely (#8061) Could in
theory (and rarely) cause multi-threaded modules to corrupt memory.
* Reduce effect of client tracking causing feedback loop in key eviction
(#8100)
* Fix cluster access to unaligned memory (SIGBUS on old ARM) (#7958)
* Fix saving of strings larger than 2GB into RDB files (#8306)

Additional improvements:

* Avoid wasteful transient memory allocation in certain cases (#8286,
#5954)

Platform / toolchain support related improvements:

* Fix crash log registers output on ARM. (#8020)
* Add a check for an ARM64 Linux kernel bug (#8224) Due to the potential
severity of this issue, Redis will print log warning on startup.
* Raspberry build fix. (#8095)

New configuration options:

* oom-score-adj-values config can now take absolute values (besides
relative ones) (#8046)

Module related fixes:

* Moved RMAPI_FUNC_SUPPORTED so that it's usable (#8037)
* Improve timer accuracy (#7987)
* Allow '\0' inside of result of RM_CreateStringPrintf (#6260)

redis 6.0.9:

* potential heap overflow when using a heap allocator other than jemalloc
or glibc's malloc. Does not affect the openSUSE package - boo#1178205
* Memory reporting of clients argv
* Add redis-cli control on raw format line delimiter
* Add redis-cli support for rediss:// -u prefix
* WATCH no longer ignores keys which have expired for MULTI/EXEC
* Correct OBJECT ENCODING response for stream type
* Allow blocked XREAD on a cluster replica
* TLS: Do not require CA config if not used
* multiple bug fixes
* Additions to modules API

redis 6.0.8 (jsc#PM-1615, jsc#PM-1622, jsc#PM-1681, jsc#ECO-2417,
jsc#ECO-2867, jsc#PM-1547, jsc#CAPS-56, jsc#SLE-11578, jsc#SLE-12821):

* bug fixes when using with Sentinel
* bug fixes when using CONFIG REWRITE
* Remove THP warning when set to madvise
* Allow EXEC with read commands on readonly replica in cluster
* Add masters/replicas options to redis-cli --cluster call command
- includes changes from 6.0.7:
* CONFIG SET could hung the client when arrives during RDB/ROF loading
* LPOS command when RANK is greater than matches responded with broken
protocol
* Add oom-score-adj configuration option to control Linux OOM killer
* Show IO threads statistics and status in INFO output
* Add optional tls verification mode (see tls-auth-clients)

redis 6.0.6:

* Fix crash when enabling CLIENT TRACKING with prefix
* EXEC always fails with EXECABORT and multi-state is cleared
* RESTORE ABSTTL won't store expired keys into the db
* redis-cli better handling of non-pritable key names
* TLS: Ignore client cert when tls-auth-clients off
* Tracking: fix invalidation message on flush
* Notify systemd on Sentinel startup
* Fix crash on a misuse of STRALGO
* Few fixes in module API
* Fix a few rare leaks (STRALGO error misuse, Sentinel)
* Fix a possible invalid access in defrag of scripts
* Add LPOS command to search in a list
* Use user+pass for MIGRATE in redis-cli and redis-benchmark in cluster
mode
* redis-cli support TLS for --pipe, --rdb and --replica options
* TLS: Session caching configuration support

redis 6.0.5:

* Fix handling of speical chars in ACL LOAD
* Make Redis Cluster more robust about operation errors that may lead to
two clusters to mix together
* Revert the sendfile() implementation of RDB transfer
* Fix TLS certificate loading for chained certificates
* Fix AOF rewirting of KEEPTTL SET option
* Fix MULTI/EXEC behavior during -BUSY script errors

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-682=1


Package List:

- openSUSE Leap 15.2 (i586 x86_64):

redis-6.0.13-lp152.2.3.1
redis-debuginfo-6.0.13-lp152.2.3.1
redis-debugsource-6.0.13-lp152.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2021-21309.html
  https://www.suse.com/security/cve/CVE-2021-29477.html
  https://www.suse.com/security/cve/CVE-2021-29478.html
  https://bugzilla.suse.com/1178205
  https://bugzilla.suse.com/1182657
  https://bugzilla.suse.com/1185729
  https://bugzilla.suse.com/1185730