Fedora Update Notification
2021-10-12 23:45:00.369106

Name        : redis
Product     : Fedora 33
Version     : 6.0.16
Release     : 1.fc33
URL         : https://redis.io
Summary     : A persistent key-value database
Description :
Redis is an advanced key-value store. It is often referred to as a data
structure server since keys can contain strings, hashes, lists, sets and
sorted sets.

You can run atomic operations on these types, like appending to a string;
incrementing the value in a hash; pushing to a list; computing set
intersection, union and difference; or getting the member with highest
ranking in a sorted set.

In order to achieve its outstanding performance, Redis works with an
in-memory dataset. Depending on your use case, you can persist it either
by dumping the dataset to disk every once in a while, or by appending
each command to a log.

Redis also supports trivial-to-setup master-slave replication, with very
fast non-blocking first synchronization, auto-reconnection on net split
and so forth.

Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
limited time-to-live, and configuration settings to make Redis behave like
a cache.

You can use Redis from most programming languages also.

Update Information:

**Redis 6.0.16** -  Released Mon Oct 4 12:00:00 IDT 2021  Upgrade urgency:
SECURITY, contains fixes to security issues.  Security Fixes:  *
(**CVE-2021-41099**) Integer to heap buffer overflow handling certain string
commands and network payloads, when proto-max-bulk-len is manually configured
to a non-default, very large value [reported by yiyuaner]. *
(**CVE-2021-32762**) Integer to heap buffer overflow issue in redis-cli and
redis-sentinel parsing large multi-bulk replies on some older and less common
platforms [reported by Microsoft Vulnerability Research]. * (**CVE-2021-32687**)
Integer to heap buffer overflow with intsets, when   set-max-intset-entries is
manually configured to a non-default, very large   value [reported by Pawel
Wieczorkiewicz, AWS]. * (**CVE-2021-32675**) Denial Of Service when processing
RESP request payloads with   a large number of elements on many connections. *
(**CVE-2021-32672**) Random heap reading issue with Lua Debugger [reported by
Meir Shpilraien]. * (**CVE-2021-32628**) Integer to heap buffer overflow
handling ziplist-encoded   data types, when configuring a large, non-default
value for   hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-
entries   or zset-max-ziplist-value [reported by sundb]. * (**CVE-2021-32627**)
Integer to heap buffer overflow issue with streams, when   configuring a non-
default, large value for proto-max-bulk-len and   client-query-buffer-limit
[reported by sundb]. * (**CVE-2021-32626**) Specially crafted Lua scripts may
result with Heap buffer   overflow [reported by Meir Shpilraien].  Other bug
fixes:  * Fix appendfsync to always guarantee fsync before reply, on MacOS and
FreeBSD (kqueue) (#9416) * Fix the wrong mis-detection of sync_file_range system
call, affecting performance (#9371) * Fix replication issues when repl-diskless-
load is used (#9280)

* Mon Oct  4 2021 Remi Collet  - 6.0.16-1
- Upstream 6.0.16 release.

  [ 1 ] Bug #2010988 - CVE-2021-32762 redis: Integer overflow in redis-cli, redis-sentinel on some platforms
  [ 2 ] Bug #2010991 - CVE-2021-32687 redis: Integer overflow issue with intsets
  [ 3 ] Bug #2011000 - CVE-2021-32675 redis: Denial of service via Redis Standard Protocol (RESP) request
  [ 4 ] Bug #2011001 - CVE-2021-32672 redis: Out of bounds read in lua debugger protocol parser
  [ 5 ] Bug #2011004 - CVE-2021-32628 redis: Integer overflow bug in the ziplist data structure
  [ 6 ] Bug #2011010 - CVE-2021-32627 redis: Integer overflow issue with Streams
  [ 7 ] Bug #2011017 - CVE-2021-32626 redis: Lua scripts can overflow the heap-based Lua stack
  [ 8 ] Bug #2011020 - CVE-2021-41099 redis: Integer overflow issue with strings

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-8913c7900c' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure