Linux Security
    Linux Security
    Linux Security

    SUSE: 2021:9-1 harbor/harbor-redis Security Update

    Date 04 Jan 2021
    Posted By LinuxSecurity Advisories
    The container harbor/harbor-redis was updated. The following patches have been included in this update:
    SUSE Container Update Advisory: harbor/harbor-redis
    Container Advisory ID : SUSE-CU-2021:9-1
    Container Tags        : harbor/harbor-redis:2.1.2 , harbor/harbor-redis:2.1.2-rev1 , harbor/harbor-redis:2.1.2-rev1-build5.76
    Container Release     : 5.76
    Severity              : important
    Type                  : security
    References            : 1002351 1047218 1061967 1064980 1084671 1097430 1131555 1169006
                            1174232 1174593 1174942 1175514 1175623 1177458 1177490 1177510
                            1177858 1177864 1177998 1178346 1178376 1178387 1178512 1178554
                            1178727 1178823 1178825 1179398 1179399 1179431 1179491 1179515
                            1179593 1180138 798455 835815 991250 CVE-2013-7458 CVE-2015-8080
                            CVE-2016-10517 CVE-2016-8339 CVE-2017-15047 CVE-2018-11218 CVE-2018-11219
                            CVE-2020-1971 CVE-2020-25692 CVE-2020-28196 CVE-2020-8284 CVE-2020-8285
    The container harbor/harbor-redis was updated. The following patches have been included in this update:
    Advisory ID: SUSE-RU-2020:3157-1
    Released:    Wed Nov  4 15:37:05 2020
    Summary:     Recommended update for ca-certificates-mozilla
    Type:        recommended
    Severity:    moderate
    References:  1177864
    This update for ca-certificates-mozilla fixes the following issues:
    The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)
    - Removed CAs:
      - EE Certification Centre Root CA
      - Taiwan GRCA
    - Added CAs:
      - Trustwave Global Certification Authority
      - Trustwave Global ECC P256 Certification Authority
      - Trustwave Global ECC P384 Certification Authority
    Advisory ID: SUSE-RU-2020:3290-1
    Released:    Wed Nov 11 12:25:32 2020
    Summary:     Recommended update for findutils
    Type:        recommended
    Severity:    moderate
    References:  1174232
    This update for findutils fixes the following issues:
    - Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
      NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.
    Advisory ID: SUSE-OU-2020:3291-1
    Released:    Wed Nov 11 12:26:29 2020
    Summary:     Optional update for python-redis and redis
    Type:        optional
    Severity:    moderate
    References:  1002351,1047218,1061967,1064980,1097430,1131555,798455,835815,991250,CVE-2013-7458,CVE-2015-8080,CVE-2016-10517,CVE-2016-8339,CVE-2017-15047,CVE-2018-11218,CVE-2018-11219
    This optional update for python-redis and redis provides the following fixes
    - Update to version to 3.4.1 (jsc#ECO-2417)
      * Move the username argument in the Redis and Connection classes to the end of the argument list. 
        This helps those poor souls that specify all their connection options as non-keyword arguments.
      * Prior to ACL support, redis-py ignored the username component of Connection URLs. With ACL 
        support, usernames are no longer ignored and are used to authenticate against an ACL rule. 
        Some cloud vendors with managed Redis instances (like Heroku) provide connection URLs with a
        username component pre-ACL that is not intended to be used. Sending that username to Redis 
        servers < 6.0.0 results in an error. Attempt to detect this condition and retry the AUTH 
        command with only the password such that authentication continues to work for these users.
      * Removed the __eq__ hooks to Redis and ConnectionPool that were added in 3.4.0. 
        This ended up being a bad idea as two separate connection pools be considered equal yet 
        manage a completely separate set of connections.
      * Allow empty pipelines to be executed if there are WATCHed keys. This is a convenient 
        way to test if any of the watched keys changed without actually running any other commands. 
      * Removed support for end of life Python 3.4.
      * Added support for all ACL commands in Redis 6. 
      * Pipeline instances now always evaluate to True. Prior to this change,
        pipeline instances relied on __len__ for boolean evaluation which
        meant that pipelines with no commands on the stack would be considered False.
      * Client instances and Connection pools now support a 'client_name' argument. 
        If supplied, all connections created will call CLIENT SETNAME as soon as the connection is opened. 
      * Added the 'ssl_check_hostname' argument to specify whether SSL connections should require the 
        server hostname to match the hostname specified in the SSL cert. By default 'ssl_check_hostname' 
        is False for backwards compatibility. 
      * Added support for the TYPE argument to SCAN. 
      * Better thread and fork safety in ConnectionPool and BlockingConnectionPool. 
        Added better locking to synchronize critical sections rather than relying on CPython-specific implementation 
        details relating to atomic operations. Adjusted how the pools identify and deal with a fork. 
        Added a ChildDeadlockedError exception that is raised by child processes in the very unlikely chance that 
        a deadlock is encountered. 
      * Further fix for the SSLError -> TimeoutError mapping to work on obscure releases of Python 2.7.
      * Fixed a potential error handling bug for the SSLError ->
        TimeoutError mapping introduced in 3.3.9.
      * Mapped Python 2.7 SSLError to TimeoutError where
        appropriate. Timeouts should now consistently raise TimeoutErrors
        on Python 2.7 for both unsecured and secured connections. 
      * Fixed MONITOR parsing to properly parse IPv6 client addresses
      * Fixed a regression introduced in 3.3.0
      * Resolve a race condition with the PubSubWorkerThread.
      * Response callbacks are now case insensitive.
      * Added support for hiredis-py 1.0.0 encoding error support.
      * Add READONLY and READWRITE commands.
      * Added extensive health checks that keep the connections lively.
      * Many more changes, see upstream changelog.
      * Add missing build dependency setuptools
      * Fix SentinelConnectionPool to work in multiprocess/forked environments
    - Update to 3.2.0 (bsc#1131555)
      * Added support for `select.poll` to test whether data can be read on a socket. This should allow for significantly
        more connections to be used with pubsub. 
      * Attempt to guarentee that the ConnectionPool hands out healthy connections. Healthy connections are those that 
        have an established socket connection to the Redis server, are ready to accept a command and have no data 
        available to read. 
      * Use the socket.IPPROTO_TCP constant instead of socket.SOL_TCP. IPPROTO_TCP is available on 
        more interpreters (Jython for instance).
      * Fixed a regression introduced in 3.0 that mishandles exceptions not derived from the base Exception class. 
        KeyboardInterrupt and gevent.timeout notable. 
      * Significant improvements to handing connections with forked processes. Parent and child processes no longer 
        trample on each others' connections.
      * PythonParser no longer closes the associated connection's socket. The connection itself will close the socket.
      * Connection URLs must have one of the following schemes: redis://, rediss://, unix://. 
      * Fixed an issue with retry_on_timeout logic that caused some TimeoutErrors to be retried. 
      * Added support for SNI for SSL. 
      * Fixed ConnectionPool repr for pools with no connections. 
      * Fixed GEOHASH to return a None value when specifying a place that doesn't exist on the server. 
      * Fixed XREADGROUP to return an empty dictionary for messages that have been deleted but still exist in the 
        unacknowledged queue. 
      * Added an owned method to Lock objects. owned returns a boolean indicating whether the current lock instance 
        still owns the lock.
      * Allow lock.acquire() to accept an optional token argument. If provided, the token argument is used as the 
        unique value used to claim the lock. 
      * Added a reacquire method to Lock objects. reaquire attempts to renew the lock such that the timeout is 
        extended to the same value that the lock was initially acquired with. 
      * Stream names found within XREAD and XREADGROUP responses now properly respect the decode_responses flag.
      * XPENDING_RANGE now requires the user the specify the min, max and count arguments. 
        Newer versions of Redis prevent count from being infinite so it's left to the user to specify these values 
      * ZADD now returns None when xx=True and incr=True and an element is specified that doesn't exist in 
        the sorted set. This matches what the server returns in this case. 
      * Added client_kill_filter that accepts various filters to identify and kill clients. 
      * Fixed a race condition that occurred when unsubscribing and resubscribing to the same channel or pattern
        in rapid succession.
      * Added a LockNotOwnedError that is raised when trying to extend or release a lock that is no longer owned. 
        This is a subclass of LockError so previous code should continue to work as expected. 
      * Fixed a bug in GEORADIUS that forced decoding of places without respecting the decode_responses option. 
      * add recommendation for python-hiredis
      * Fixed regression with UnixDomainSocketConnection caused by 3.0.0.
      * Fixed an issue with the new asynchronous flag on flushdb and flushall.
      * Updated Lock.locked() method to indicate whether *any* process has acquired the lock, not just the 
        current one. This is in line with the behavior of threading.Lock. 
    - Update to version 3.0.0:
      * When using a Lock as a context manager and the lock fails to be acquired
        a LockError is now raised. This prevents the code block inside the context manager from being executed 
        if the lock could not be acquired.
      * Renamed LuaLock to Lock.
      * Removed the pipeline based Lock implementation in favor of the LuaLock implementation.
      * Only bytes, strings and numbers (ints, longs and floats) are acceptable
        for keys and values. Previously redis-py attempted to cast other types
        to str() and store the result. This caused must confusion and frustration
        when passing boolean values (cast to 'True' and 'False') or None values
        (cast to 'None'). It is now the user's responsibility to cast all
        key names and values to bytes, strings or numbers before passing the value to redis-py.
      * The StrictRedis class has been renamed to Redis. StrictRedis will
        continue to exist as an alias of Redis for the forseeable future.
      * The legacy Redis client class has been removed. It caused much confusion to users.
      * ZINCRBY arguments 'value' and 'amount' have swapped order to match the
        the Redis server. The new argument order is: keyname, amount, value.
      * MGET no longer raises an error if zero keys are passed in. Instead an empty list is returned.
      * MSET and MSETNX now require all keys/values to be specified in a single dictionary argument named mapping. 
        This was changed to allow for future options to these commands in the future.
      * ZADD now requires all element names/scores be specified in a single
        dictionary argument named mapping. This was required to allow the NX, XX, CH and INCR options to be specified.
      * Added missing DECRBY command.
      * CLUSTER INFO and CLUSTER NODES respones are now properly decoded to strings.
      * Added a 'locked()' method to Lock objects. This method returns True if the lock has been acquired and owned 
        by the current process, otherwise False.
      * EXISTS now supports multiple keys. It's return value is now the number of keys in the list that exist.
      * Ensure all commands can accept key names as bytes. This fixes issues with BLPOP, BRPOP and SORT.
      * All errors resulting from bad user input are raised as DataError exceptions. DataError is a subclass of 
        RedisError so this should be transparent to anyone previously catching these.
      * Added support for NX, XX, CH and INCR options to ZADD
      * Added support for the MIGRATE command
      * Added support for the MEMORY USAGE and MEMORY PURGE commands. 
      * Added support for the 'asynchronous' argument to FLUSHDB and FLUSHALL commands. 
      * Added support for the BITFIELD command. 
      * Improved performance on pipeline requests with large chunks of data.
      * Fixed test suite to not fail if another client is connected to the server the tests are running against.
      * Added support for SWAPDB.
      * Added support for all STREAM commands.
      * SHUTDOWN now accepts the 'save' and 'nosave' arguments. 
      * Added support for ZPOPMAX, ZPOPMIN, BZPOPMAX, BZPOPMIN. 
      * Added support for the 'type' argument in CLIENT LIST.
      * Added support for CLIENT PAUSE. 
      * Added support for CLIENT ID and CLIENT UNBLOCK. 
      * GEODIST now returns a None value when referencing a place that does not exist. 
      * Added a ping() method to pubsub objects. 
      * Fixed a bug with keys in the INFO dict that contained ':' symbols.
      * ssl_cert_reqs now has a default value of 'required' by default. This should make connecting to a remote 
        Redis server over SSL more secure.
      * max_connections is now a valid querystring argument for creating connection pools from URLs. 
      * Added the UNLINK command.
      * Added socket_type option to Connection for configurability.
      * Lock.do_acquire now atomically sets acquires the lock and sets the expire value via set(nx=True, px=timeout).
      * Added 'count' argument to SPOP.
      * Fixed an issue parsing client_list respones that contained an '='.
      * Fix rounding issues with geolocation, it is not stable enought to produce pinpoint equal 
        results among 32bit platforms
      * Run tests by launching redis server
      * Require redis on runtime
    - Update to version 6.0.8 
        (jsc#PM-1615, jsc#PM-1622, jsc#PM-1681, jsc#ECO-2867, jsc#PM-1547, jsc#CAPS-56, jsc#SLE-11578, jsc#SLE-12821)
      * bug fixes when using with Sentinel
      * bug fixes when using CONFIG REWRITE
      * Remove THP warning when set to madvise
      * Allow EXEC with read commands on readonly replica in cluster
      * Add masters/replicas options to redis-cli --cluster call command
      * CONFIG SET could hung the client when arrives during RDB/ROF loading
      * LPOS command when RANK is greater than matches responded with broken protocol
      * Add oom-score-adj configuration option to control Linux OOM killer
      * Show IO threads statistics and status in INFO output 
      * Add optional tls verification mode (see tls-auth-clients)
      * Fix crash when enabling CLIENT TRACKING with prefix
      * EXEC always fails with EXECABORT and multi-state is cleared
      * RESTORE ABSTTL won't store expired keys into the db
      * redis-cli better handling of non-pritable key names
      * TLS: Ignore client cert when tls-auth-clients off
      * Tracking: fix invalidation message on flush
      * Notify systemd on Sentinel startup
      * Fix crash on a misuse of STRALGO
      * Fix a few rare leaks (STRALGO error misuse, Sentinel)
      * Fix a possible invalid access in defrag of scripts
      * Add LPOS command to search in a list
      * Use user+pass for MIGRATE in redis-cli and redis-benchmark in cluster mode
      * redis-cli support TLS for --pipe, --rdb and --replica options
      * TLS: Session caching configuration support
      * Fix handling of speical chars in ACL LOAD
      * Make Redis Cluster more robust about operation errors that may lead to two clusters to mix together
      * Revert the sendfile() implementation of RDB transfer
      * Fix TLS certificate loading for chained certificates
      * Fix AOF rewirting of KEEPTTL SET option
      * Fix MULTI/EXEC behavior during -BUSY script errors
      * fix a severe replication bug introduced in Redis 6 by the 'meaningful offset' feature
      * fix a crash introduced in 6.0.2
      * fix to client side caching when keys are evicted from the tracking table but no notifications are sent
      * add BR pkgconfig(libsystemd) for the rewritten systemd support and force building with it
      * XCLAIM AOF/replicas propagation fixed.
      * Client side caching: new NOLOOP option to avoid getting notified about changes performed by ourselves.
      * ACL GENPASS now uses HMAC-SHA256 and have an optional 'bits' argument.  It means you can use it as a general 
        purpose 'secure random strings' primitive!
      * Cluster 'SLOTS' subcommand memory optimization.
      * The LCS command is now a subcommand of STRALGO.
      * Meaningful offset for replicas as well. More successful partial resynchronizations.
      * Optimize memory usage of deferred replies.
      * Faster CRC64 algorithm for faster RDB loading.
      * XINFO STREAM FULL, a new subcommand to get the whole stream state.
      * MIGRATE AUTH2 option, for ACL style authentication support.
      * use libatomic also on ppc
      * add hash file from redis-hashes and verify it during build
    Advisory ID: SUSE-RU-2020:3294-1
    Released:    Wed Nov 11 12:28:46 2020
    Summary:     Recommended update for SLES-release
    Type:        recommended
    Severity:    moderate
    References:  1177998
    This update for SLES-release fixes the following issue:
    - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998)
    Advisory ID: SUSE-SU-2020:3313-1
    Released:    Thu Nov 12 16:07:37 2020
    Summary:     Security update for openldap2
    Type:        security
    Severity:    important
    References:  1178387,CVE-2020-25692
    This update for openldap2 fixes the following issues:
    - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
    Advisory ID: SUSE-SU-2020:3377-1
    Released:    Thu Nov 19 09:29:32 2020
    Summary:     Security update for krb5
    Type:        security
    Severity:    moderate
    References:  1178512,CVE-2020-28196
    This update for krb5 fixes the following security issue:
    - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
    Advisory ID: SUSE-RU-2020:3381-1
    Released:    Thu Nov 19 10:53:38 2020
    Summary:     Recommended update for systemd
    Type:        recommended
    Severity:    moderate
    References:  1177458,1177490,1177510
    This update for systemd fixes the following issues:
    - build-sys: optionally disable support of journal over the network (bsc#1177458)
    - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
    - mount: don't propagate errors from mount_setup_unit() further up
    - Rely on the new build option --disable-remote for journal_remote
      This allows to drop the workaround that consisted in cleaning journal-upload files and
      {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
    - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package 
    - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
      These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
    - Make use of %{_unitdir} and %{_sysusersdir}
    - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)
    Advisory ID: SUSE-RU-2020:3462-1
    Released:    Fri Nov 20 13:14:35 2020
    Summary:     Recommended update for pam and sudo
    Type:        recommended
    Severity:    moderate
    References:  1174593,1177858,1178727
    This update for pam and sudo fixes the following issue:
    - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
    - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
    - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)
    - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)
    Advisory ID: SUSE-RU-2020:3581-1
    Released:    Tue Dec  1 14:40:22 2020
    Summary:     Recommended update for libusb-1_0
    Type:        recommended
    Severity:    moderate
    References:  1178376
    This update for libusb-1_0 fixes the following issues:
    - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)
    Advisory ID: SUSE-RU-2020:3620-1
    Released:    Thu Dec  3 17:03:55 2020
    Summary:     Recommended update for pam
    Type:        recommended
    Severity:    moderate
    This update for pam fixes the following issues:
    - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
      - Check whether the password contains a substring of of the user's name of at least `` characters length in 
      some form. This is enabled by the new parameter `usersubstr=`
    Advisory ID: SUSE-RU-2020:3626-1
    Released:    Fri Dec  4 13:51:46 2020
    Summary:     Recommended update for audit
    Type:        recommended
    Severity:    moderate
    References:  1179515
    This update for audit fixes the following issues:
    - Enable Aarch64 processor support. (bsc#1179515) 
    Advisory ID: SUSE-RU-2020:3703-1
    Released:    Mon Dec  7 20:17:32 2020
    Summary:     Recommended update for aaa_base
    Type:        recommended
    Severity:    moderate
    References:  1179431
    This update for aaa_base fixes the following issue:
    - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)
    Advisory ID: SUSE-SU-2020:3721-1
    Released:    Wed Dec  9 13:36:46 2020
    Summary:     Security update for openssl-1_1
    Type:        security
    Severity:    important
    References:  1179491,CVE-2020-1971
    This update for openssl-1_1 fixes the following issues:
    - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
    Advisory ID: SUSE-SU-2020:3735-1
    Released:    Wed Dec  9 18:19:24 2020
    Summary:     Security update for curl
    Type:        security
    Severity:    moderate
    References:  1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
    This update for curl fixes the following issues:
    - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). 
    - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
    - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).	  
    Advisory ID: SUSE-RU-2020:3809-1
    Released:    Tue Dec 15 13:46:05 2020
    Summary:     Recommended update for glib2
    Type:        recommended
    Severity:    moderate
    References:  1178346
    This update for glib2 fixes the following issues:
    Update from version 2.62.5 to version 2.62.6:
    - Support for slim format of timezone. (bsc#1178346)
    - Fix DST incorrect end day when using slim format. (bsc#1178346)
    - Fix SOCKS5 username/password authentication.
    - Updated translations.
    Advisory ID: SUSE-RU-2020:3853-1
    Released:    Wed Dec 16 12:27:27 2020
    Summary:     Recommended update for util-linux
    Type:        recommended
    Severity:    moderate
    References:  1084671,1169006,1174942,1175514,1175623,1178554,1178825
    This update for util-linux fixes the following issue:
    - Do not trigger the automatic close of CDROM. (bsc#1084671)
    - Try to automatically configure broken serial lines. (bsc#1175514)
    - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514)
    - Build with `libudev` support to support non-root users. (bsc#1169006)
    - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
    - Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942)
    Advisory ID: SUSE-RU-2020:3942-1
    Released:    Tue Dec 29 12:22:01 2020
    Summary:     Recommended update for libidn2
    Type:        recommended
    Severity:    moderate
    References:  1180138
    This update for libidn2 fixes the following issues:
    - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
      adjusted the RPM license tags (bsc#1180138)
    Advisory ID: SUSE-RU-2020:3943-1
    Released:    Tue Dec 29 12:24:45 2020
    Summary:     Recommended update for libxml2
    Type:        recommended
    Severity:    moderate
    References:  1178823
    This update for libxml2 fixes the following issues:
    Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)
    * key/unique/keyref schema attributes currently use quadratic loops
      to check their various constraints (that keys are unique and that
      keyrefs refer to existing keys).
    * This fix uses a hash table to avoid the quadratic behaviour.


    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"22","type":"x","order":"1","pct":34.92,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"13","type":"x","order":"2","pct":20.63,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"28","type":"x","order":"3","pct":44.44,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.