Fedora Update Notification
2021-10-12 23:37:48.488219

Name        : redis
Product     : Fedora 34
Version     : 6.2.6
Release     : 1.fc34
URL         : https://redis.io
Summary     : A persistent key-value database
Description :
Redis is an advanced key-value store. It is often referred to as a data
structure server since keys can contain strings, hashes, lists, sets and
sorted sets.

You can run atomic operations on these types, like appending to a string;
incrementing the value in a hash; pushing to a list; computing set
intersection, union and difference; or getting the member with highest
ranking in a sorted set.

In order to achieve its outstanding performance, Redis works with an
in-memory dataset. Depending on your use case, you can persist it either
by dumping the dataset to disk every once in a while, or by appending
each command to a log.

Redis also supports trivial-to-setup master-slave replication, with very
fast non-blocking first synchronization, auto-reconnection on net split
and so forth.

Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
limited time-to-live, and configuration settings to make Redis behave like
a cache.

You can use Redis from most programming languages also.

Update Information:

**Redis 6.2.** - 6 Released Mon Oct 4 12:00:00 IDT 2021   Upgrade urgency:
SECURITY, contains fixes to security issues.  Security Fixes:  *
(**CVE-2021-41099**) Integer to heap buffer overflow handling certain string
commands and network payloads, when proto-max-bulk-len is manually configured
to a non-default, very large value [reported by yiyuaner]. *
(**CVE-2021-32762**) Integer to heap buffer overflow issue in redis-cli and
redis-sentinel parsing large multi-bulk replies on some older and less common
platforms [reported by Microsoft Vulnerability Research]. * (**CVE-2021-32687**)
Integer to heap buffer overflow with intsets, when   set-max-intset-entries is
manually configured to a non-default, very large   value [reported by Pawel
Wieczorkiewicz, AWS]. * (**CVE-2021-32675**) Denial Of Service when processing
RESP request payloads with   a large number of elements on many connections. *
(**CVE-2021-32672**) Random heap reading issue with Lua Debugger [reported by
Meir Shpilraien]. * (**CVE-2021-32628**) Integer to heap buffer overflow
handling ziplist-encoded   data types, when configuring a large, non-default
value for   hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-
entries   or zset-max-ziplist-value [reported by sundb]. * (**CVE-2021-32627**)
Integer to heap buffer overflow issue with streams, when   configuring a non-
default, large value for proto-max-bulk-len and   client-query-buffer-limit
[reported by sundb]. * (**CVE-2021-32626**) Specially crafted Lua scripts may
result with Heap buffer   overflow [reported by Meir Shpilraien].  Bug fixes
that involve behavior changes:  * GEO* STORE with empty source key deletes the
destination key and return 0 (#9271)   Previously it would have returned an
empty array like the non-STORE variant. * PUBSUB NUMPAT replies with number of
patterns rather than number of subscriptions (#9209)   This actually changed in
6.2.0 but was overlooked and omitted from the release notes.  Bug fixes that are
only applicable to previous releases of Redis 6.2:  * Fix CLIENT PAUSE, used an
old timeout from previous PAUSE (#9477) * Fix CLIENT PAUSE in a replica would
mess the replication offset (#9448) * Add some missing error statistics in INFO
errorstats (#9328)  Other bug fixes:  * Fix incorrect reply of COMMAND command
key positions for MIGRATE command (#9455) * Fix appendfsync to always guarantee
fsync before reply, on MacOS and FreeBSD (kqueue) (#9416) * Fix the wrong mis-
detection of sync_file_range system call, affecting performance (#9371)  CLI
tools:  * When redis-cli received ASK response, it didn't handle it (#8930)
Improvements:  * Add latency monitor sample when key is deleted via lazy expire
(#9317) * Sanitize corrupt payload improvements (#9321, #9399) * Delete empty
keys when loading RDB file or handling a RESTORE command (#9297, #9349)

* Mon Oct  4 2021 Remi Collet  - 6.2.6-1
- Upstream 6.2.6 release.
* Tue Sep 14 2021 Sahana Prasad  - 6.2.5-2
- Rebuilt with OpenSSL 3.0.0

  [ 1 ] Bug #2010988 - CVE-2021-32762 redis: Integer overflow in redis-cli, redis-sentinel on some platforms
  [ 2 ] Bug #2010991 - CVE-2021-32687 redis: Integer overflow issue with intsets
  [ 3 ] Bug #2011000 - CVE-2021-32675 redis: Denial of service via Redis Standard Protocol (RESP) request
  [ 4 ] Bug #2011001 - CVE-2021-32672 redis: Out of bounds read in lua debugger protocol parser
  [ 5 ] Bug #2011004 - CVE-2021-32628 redis: Integer overflow bug in the ziplist data structure
  [ 6 ] Bug #2011010 - CVE-2021-32627 redis: Integer overflow issue with Streams
  [ 7 ] Bug #2011017 - CVE-2021-32626 redis: Lua scripts can overflow the heap-based Lua stack
  [ 8 ] Bug #2011020 - CVE-2021-41099 redis: Integer overflow issue with strings

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-61c487f241' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure