redis:6 security update

エラータID: AXSA:2021-2227:01

Release date: 
Monday, July 19, 2021 - 13:41
Subject: 
redis:6 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.

Security Fix(es):

* redis: Integer overflow via STRALGO LCS command (CVE-2021-29477)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-29477
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.

Modularity name: redis
Stream name: 6

Solution: 

Update packages.

CVEs: 
CVE-2021-29477
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.
Additional Info: 

N/A

Download: 

SRPMS
  1. redis-6.0.9-3.module+el8+1270+9441336f.src.rpm
    MD5: d8938d0ce82a40033130dcdf84d5468b
    SHA-256: d82da12fa98716edefd9671c909ddfe024ac67e7a063ce6a2d4eb5bb46839ddf
    Size: 2.76 MB

Asianux Server 8 for x86_64
  1. redis-6.0.9-3.module+el8+1270+9441336f.x86_64.rpm
    MD5: ed028b4e82c68d47b703ed036012bba5
    SHA-256: 65f25b0e5e5cc9a86f425bf41eb694c3c27b6287a1c66f09983455acd06b7334
    Size: 1.08 MB
  2. redis-debugsource-6.0.9-3.module+el8+1270+9441336f.x86_64.rpm
    MD5: 406f59090fa913788f6b78aba075d099
    SHA-256: 95a07f8400620d884a40dd56b1f42d20721245699cb4b38ab86a6d0b980cb383
    Size: 1.23 MB
  3. redis-devel-6.0.9-3.module+el8+1270+9441336f.x86_64.rpm
    MD5: 1717bd8e4f147e1558b4fa0ab5e735fc
    SHA-256: 93ac620a54c53018611c01a182d2563a81747f6b0e52c82177e66d7e7368f372
    Size: 28.42 kB
  4. redis-doc-6.0.9-3.module+el8+1270+9441336f.noarch.rpm
    MD5: e613b0366ead59ec6a915bcb922a5774
    SHA-256: b95b2f7518496e8a480f467a05075d028e14cb35a2b7350a3a981724a4d48150
    Size: 507.61 kB