Stay Secure with the Latest Linux Advisories

security advisoryfedorasystem crash

Fedora 36: FEDORA-2022-6ed1ce2838 Critical: Redis Lua Crash Risk

**Redis 6.2.7** - Released Wed Apr 27 12:00:00 IDT 2022 Upgrade urgency: **SECURITY**, contains fixes to security issues. Security Fixes: * (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. This issue affects all versions of Redis. [reported by. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-6ed1ce2838 2022-05-07 04:08:14.318657 --------------------------------------------------------------------------------Name : redis Product : Fedora 36 Version : 6.2.7 Release : 1.fc36 URL : https://redis.io Summary : A persistent key-value database Description : Redis is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Redis also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Redis behave like a cache. You can use Redis from most programming languages also. --------------------------------------------------------------------------------Update Information: **Redis 6.2.7** - Released Wed Apr 27 12:00:00 IDT 2022 Upgrade urgency: **SECURITY**, contains fixes to securityissues. Security Fixes: * (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. This issue affects all versions of Redis. [reported by Aviv Yahav]. * (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. [reported by Aviv Yahav]. Potentially Breaking Fixes * LPOP/RPOP with count against non-existing list return null array (#10095) * LPOP/RPOP used to produce wrong replies when count is 0 (#9692) Performance and resource utilization improvements * Speed optimization in command execution pipeline (#10502) * Fix regression in Z[REV]RANGE commands (by-rank) introduced in Redis 6.2 (#10337) Platform / toolchain support related improvements * Fix RSS metrics on NetBSD and OpenBSD (#10116, #10149) * Fix OpenSSL 3.0.x related issues (#10291) Bug Fixes * Lua: Add checks for min-slave-* configs when evaluating Lua scripts (#10160) * Lua: fix crash on a script call with many arguments, a regression in v6.2.6 (#9809) * Tracking: Make invalidation messages always after command's reply (#9422) * Fix excessive stream trimming due to an overflow (#10068) * Add missed error counting for INFO errorstats (#9646) * Fix geo search bounding box check causing missing results (#10018) * Improve EXPIRE TTL overflow detection (#9839) * Modules: Fix thread safety violation when a module thread adds an error reply, broken in 6.2 (#10278) * Modules: Fix missing and duplicate error stats (#10278) * Module APIs: release clients blocked on module commands in cluster resharding and down state (#9483) * Sentinel: Fix memory leak with TLS (#9753) * Sentinel: Fix issues with hostname support (#10146) * Sentinel: Fix election failures on certain containerenvironments (#10197) --------------------------------------------------------------------------------ChangeLog: * Thu Apr 28 2022 Remi Collet - 6.2.7-1 - Upstream 6.2.7 release. --------------------------------------------------------------------------------References: [ 1 ] Bug #2080286 - CVE-2022-24735 redis: Code injection via Lua script execution environment https://bugzilla.redhat.com/show_bug.cgi?id=2080286 [ 2 ] Bug #2080289 - CVE-2022-24736 redis: Malformed Lua script can crash Redis https://bugzilla.redhat.com/show_bug.cgi?id=2080289 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-6ed1ce2838' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure . Redis 6.2.7 upgrade tackles significant vulnerabilities, providing strengthened security measures and optimized performance enhancements. Discover more information here.. Fedora Security,Redis Update,Code Injection,Lua Scripting,System Crash. . Severity: Critical. LinuxSecurity.com Team

May 07, 2022 •Critical Fedora