openSUSE Security Update: Security update for redis
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:0682-1
Rating:             important
References:         #1178205 #1182657 #1185729 #1185730 ECO-2417 
                    ECO-2867 PM-1547 PM-1615 PM-1622 PM-1681 
                    SLE-11578 SLE-12821 
Cross-References:   CVE-2021-21309 CVE-2021-29477 CVE-2021-29478
                   
CVSS scores:
                    CVE-2021-21309 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-21309 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
                    CVE-2021-29477 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-29478 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Leap 15.2
______________________________________________________________________________

   An update that solves three vulnerabilities, contains 8
   features and has one errata is now available.

Description:

   This update for redis fixes the following issues:

   redis 6.0.13

   * CVE-2021-29477: Integer overflow in STRALGO LCS command (boo#1185729)
   * CVE-2021-29478: Integer overflow in COPY command for large intsets
     (boo#1185730)
   * Cluster: Skip unnecessary check which may prevent failure detection
   * Fix performance regression in BRPOP on Redis 6.0
   * Fix edge-case when a module client is unblocked

   redis 6.0.12:

   * Fix compilation error on non-glibc systems if jemalloc is not used

   redis 6.0.11:

   * CVE-2021-21309: Avoid 32-bit overflows when proto-max-bulk-len is set
     high (boo#1182657)
   * Fix handling of threaded IO and CLIENT PAUSE (failover), could lead to
     data loss or a crash
   * Fix the selection of a random element from large hash tables
   * Fix broken protocol in client tracking tracking-redir-broken message
   * XINFO able to access expired keys on a replica
   * Fix broken protocol in redis-benchmark when used with -a or --dbnum
   * Avoid assertions (on older kernels) when testing arm64 CoW bug
   * CONFIG REWRITE should honor umask settings
   * Fix firstkey,lastkey,step in COMMAND command for some commands
   * RM_ZsetRem: Delete key if empty, the bug could leave empty zset keys

   redis 6.0.10:

   Command behavior changes:

   * SWAPDB invalidates WATCHed keys (#8239)
   * SORT command behaves differently when used on a writable replica (#8283)
   * EXISTS should not alter LRU (#8016) In Redis 5.0 and 6.0 it would have
     touched the LRU/LFU of the key.
   * OBJECT should not reveal logically expired keys (#8016) Will now behave
     the same TYPE or any other non-DEBUG command.
   * GEORADIUS[BYMEMBER] can fail with -OOM if Redis is over the memory limit
     (#8107)

   Other behavior changes:

   * Sentinel: Fix missing updates to the config file after SENTINEL SET
     command (#8229)
   * CONFIG REWRITE is atomic and safer, but requires write access to the
     config file's folder (#7824, #8051) This change was already present in
     6.0.9, but was missing from the release notes.

   Bug fixes with compatibility implications (bugs introduced in Redis 6.0):

   * Fix RDB CRC64 checksum on big-endian systems (#8270) If you're using
     big-endian please consider the compatibility implications with RESTORE,
     replication and persistence.
   * Fix wrong order of key/value in Lua's map response (#8266) If your
     scripts use redis.setresp() or return a map (new in Redis 6.0), please
     consider the implications.

   Bug fixes:

   * Fix an issue where a forked process deletes the parent's pidfile (#8231)
   * Fix crashes when enabling io-threads-do-reads (#8230)
   * Fix a crash in redis-cli after executing cluster backup (#8267)
   * Handle output buffer limits for module blocked clients (#8141) Could
     result in a module sending reply to a blocked client to go beyond the
     limit.
   * Fix setproctitle related crashes. (#8150, #8088) Caused various crashes
     on startup, mainly on Apple M1 chips or under instrumentation.
   * Backup/restore cluster mode keys to slots map for
     repl-diskless-load=swapdb (#8108) In cluster mode with
     repl-diskless-load, when loading failed, slot map wouldn't have been
     restored.
   * Fix oom-score-adj-values range, and bug when used in config file (#8046)
     Enabling setting this in the config file in a line after enabling it,
     would have been buggy.
   * Reset average ttl when empty databases (#8106) Just causing misleading
     metric in INFO
   * Disable rehash when Redis has child process (#8007) This could have
     caused excessive CoW during BGSAVE, replication or AOFRW.
   * Further improved ACL algorithm for picking categories (#7966) Output of
     ACL GETUSER is now more similar to the one provided by ACL SETUSER.
   * Fix bug with module GIL being released prematurely (#8061) Could in
     theory (and rarely) cause multi-threaded modules to corrupt memory.
   * Reduce effect of client tracking causing feedback loop in key eviction
     (#8100)
   * Fix cluster access to unaligned memory (SIGBUS on old ARM) (#7958)
   * Fix saving of strings larger than 2GB into RDB files (#8306)

   Additional improvements:

   * Avoid wasteful transient memory allocation in certain cases (#8286,
     #5954)

   Platform / toolchain support related improvements:

   * Fix crash log registers output on ARM. (#8020)
   * Add a check for an ARM64 Linux kernel bug (#8224) Due to the potential
     severity of this issue, Redis will print log warning on startup.
   * Raspberry build fix. (#8095)

   New configuration options:

   * oom-score-adj-values config can now take absolute values (besides
     relative ones) (#8046)

   Module related fixes:

   * Moved RMAPI_FUNC_SUPPORTED so that it's usable (#8037)
   * Improve timer accuracy (#7987)
   * Allow '\0' inside of result of RM_CreateStringPrintf (#6260)

   redis 6.0.9:

   * potential heap overflow when using a heap allocator other than jemalloc
     or glibc's malloc. Does not affect the openSUSE package - boo#1178205
   * Memory reporting of clients argv
   * Add redis-cli control on raw format line delimiter
   * Add redis-cli support for rediss:// -u prefix
   * WATCH no longer ignores keys which have expired for MULTI/EXEC
   * Correct OBJECT ENCODING response for stream type
   * Allow blocked XREAD on a cluster replica
   * TLS: Do not require CA config if not used
   * multiple bug fixes
   * Additions to modules API

   redis 6.0.8 (jsc#PM-1615, jsc#PM-1622, jsc#PM-1681, jsc#ECO-2417,
   jsc#ECO-2867, jsc#PM-1547, jsc#CAPS-56, jsc#SLE-11578, jsc#SLE-12821):

   * bug fixes when using with Sentinel
   * bug fixes when using CONFIG REWRITE
   * Remove THP warning when set to madvise
   * Allow EXEC with read commands on readonly replica in cluster
   * Add masters/replicas options to redis-cli --cluster call command
   - includes changes from 6.0.7:
   * CONFIG SET could hung the client when arrives during RDB/ROF loading
   * LPOS command when RANK is greater than matches responded with broken
     protocol
   * Add oom-score-adj configuration option to control Linux OOM killer
   * Show IO threads statistics and status in INFO output
   * Add optional tls verification mode (see tls-auth-clients)

   redis 6.0.6:

   * Fix crash when enabling CLIENT TRACKING with prefix
   * EXEC always fails with EXECABORT and multi-state is cleared
   * RESTORE ABSTTL won't store expired keys into the db
   * redis-cli better handling of non-pritable key names
   * TLS: Ignore client cert when tls-auth-clients off
   * Tracking: fix invalidation message on flush
   * Notify systemd on Sentinel startup
   * Fix crash on a misuse of STRALGO
   * Few fixes in module API
   * Fix a few rare leaks (STRALGO error misuse, Sentinel)
   * Fix a possible invalid access in defrag of scripts
   * Add LPOS command to search in a list
   * Use user+pass for MIGRATE in redis-cli and redis-benchmark in cluster
     mode
   * redis-cli support TLS for --pipe, --rdb and --replica options
   * TLS: Session caching configuration support

   redis 6.0.5:

   * Fix handling of speical chars in ACL LOAD
   * Make Redis Cluster more robust about operation errors that may lead to
     two clusters to mix together
   * Revert the sendfile() implementation of RDB transfer
   * Fix TLS certificate loading for chained certificates
   * Fix AOF rewirting of KEEPTTL SET option
   * Fix MULTI/EXEC behavior during -BUSY script errors


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2021-682=1



Package List:

   - openSUSE Leap 15.2 (i586 x86_64):

      redis-6.0.13-lp152.2.3.1
      redis-debuginfo-6.0.13-lp152.2.3.1
      redis-debugsource-6.0.13-lp152.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2021-21309.html
   https://www.suse.com/security/cve/CVE-2021-29477.html
   https://www.suse.com/security/cve/CVE-2021-29478.html
   https://bugzilla.suse.com/1178205
   https://bugzilla.suse.com/1182657
   https://bugzilla.suse.com/1185729
   https://bugzilla.suse.com/1185730