Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Debian 11 DLA-3885-1 Critical: Redis Denial-of-Service and Heap Overflow

debian lts
Calendar Grey September 10, 2024
Dist Debian Esm H88
Keep updated with the latest Debian LTS Advisory DLA-3886-2, which highlights important PostgreSQL vulnerabilities and suggests urgent updates.
It was discovered that there were a number of issues in Redis, a popular key-value database: * CVE-2023-45145: On startup, Redis began listening on a Unix

Summary

* CVE-2023-45145: On startup, Redis began listening on a Unix
socket before adjusting its permissions to the user-provided
configuration. If a permissive umask(2) was used, this created a
race condition that enabled, during a short period of time,
another process to establish an otherwise unauthorized connection.

* CVE-2023-28856: Authenticated users could have used the
HINCRBYFLOAT command to create an invalid hash field that would
have crashed the Redis server on access.

* CVE-2023-25155: Authenticated users issuing specially crafted
SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an
integer overflow, resulting in a runtime assertion and termination
of the Redis server process.

* CVE-2022-36021: Authenticated users can use string matching
commands (like SCAN or KEYS) with a specially crafted pattern to
trigger a denial-of-service attack on Redis, causing it to hang
and consume 100% CPU time.

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: redis
Version: 5:6.0.16-1+deb11u3

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here