redis:7 security update

エラータID: AXSA:2025-9608:01

Release date: 
Thursday, January 30, 2025 - 17:11
Subject: 
redis:7 security update
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.

Security Fix(es):

* redis: Redis' Lua library commands may lead to remote code execution (CVE-2024-46981)
* redis: Redis allows denial-of-service due to malformed ACL selectors (CVE-2024-51741)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-46981
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
CVE-2024-51741
Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2.

Modularity name: "redis"
Stream name: "7"

Solution: 

Update packages.

CVEs: 
CVE-2024-46981
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
CVE-2024-51741
Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2.
Additional Info: 

N/A

Download: 

SRPMS
  1. redis-7.2.7-1.module+el9+1064+58275413.src.rpm
    MD5: 7be0248ada037dc431a3e081c57b7c09
    SHA-256: 544e085e5dcfb2b170d56626e4f4593f231194c26e90bb119aeab0afdddcf268
    Size: 4.44 MB

Asianux Server 9 for x86_64
  1. redis-7.2.7-1.module+el9+1064+58275413.x86_64.rpm
    MD5: b5152622b94a691c18206682b6d8324f
    SHA-256: 78e62c2111f029486038b87f2f666ae0531f1a2a8c24f4905fdd96fdf6715170
    Size: 1.63 MB
  2. redis-debugsource-7.2.7-1.module+el9+1064+58275413.x86_64.rpm
    MD5: 747245cf693bc2f3e07f4fda41891dcc
    SHA-256: e6ddb2cdc2e609b090d2ea00f11bb9abde86519c7f90e647f8fd3bae48f3db70
    Size: 1.54 MB
  3. redis-devel-7.2.7-1.module+el9+1064+58275413.x86_64.rpm
    MD5: 23e4acd883456f91ad966ef4356abf30
    SHA-256: 936c9a37c59cb47161477766ab2d4f37ef0da6ecbca41c4e3cd5fdfcf435bcf9
    Size: 24.36 kB
  4. redis-doc-7.2.7-1.module+el9+1064+58275413.noarch.rpm
    MD5: 6cf1923178223ad76ee5da40e8d27788
    SHA-256: 8ca8053079544b9c65caf4903f1c8109e97a270d0f39db2ebb834d0bbc12894e
    Size: 639.68 kB