From 6.2.6 release notes: """ Security Fixes: * (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. This issue affects all versions of Redis. [reported by Aviv Yahav]. * (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. [reported by Aviv Yahav]. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb357ae44b7e9fbff0d9d9df54370c6796d706cb commit bb357ae44b7e9fbff0d9d9df54370c6796d706cb Author: Sam James <sam@gentoo.org> AuthorDate: 2022-04-28 02:17:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-04-28 02:17:59 +0000 dev-db/redis: drop 5.0.14, 6.0.16 Bug: https://bugs.gentoo.org/841404 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 2 - dev-db/redis/files/redis-3.2.3-config.patch | 40 ----- dev-db/redis/files/redis-5.0-sharedlua.patch | 60 -------- dev-db/redis/files/redis-5.0.8-ppc-atomic.patch | 19 --- dev-db/redis/files/redis-6.0.12-sharedlua.patch | 60 -------- dev-db/redis/redis-5.0.14.ebuild | 164 -------------------- dev-db/redis/redis-6.0.16.ebuild | 189 ------------------------ 7 files changed, 534 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8db611a4cadc177118641ff3146f1ea46f12808 commit e8db611a4cadc177118641ff3146f1ea46f12808 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-04-28 02:14:54 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-04-28 02:17:58 +0000 dev-db/redis: add 6.2.7 Bug: https://bugs.gentoo.org/841404 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/redis-6.2.7.ebuild | 190 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 191 insertions(+)
sorry, 6.2.7 release notes.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=850894a9e88d1b711cfd3036878848f5e59690b5 commit 850894a9e88d1b711cfd3036878848f5e59690b5 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-04-28 02:37:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-04-28 02:37:30 +0000 Revert "dev-db/redis: drop 5.0.14, 6.0.16" This reverts commit bb357ae44b7e9fbff0d9d9df54370c6796d706cb. dev-ruby/redis still needs 5* Bug: https://bugs.gentoo.org/841404 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 2 + dev-db/redis/files/redis-3.2.3-config.patch | 40 +++++ dev-db/redis/files/redis-5.0-sharedlua.patch | 60 ++++++++ dev-db/redis/files/redis-5.0.8-ppc-atomic.patch | 19 +++ dev-db/redis/files/redis-6.0.12-sharedlua.patch | 60 ++++++++ dev-db/redis/redis-5.0.14.ebuild | 164 ++++++++++++++++++++ dev-db/redis/redis-6.0.16.ebuild | 189 ++++++++++++++++++++++++ 7 files changed, 534 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03485050cb1becab6da142ab138b15d3fd118ccd commit 03485050cb1becab6da142ab138b15d3fd118ccd Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2022-07-10 09:58:27 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-07-10 12:53:32 +0000 dev-db/redis: drop 5.0.14, EOL 5.0 line is not supported by upstream anymore and it suffers with known vulnerabilities. Bug: https://bugs.gentoo.org/841404 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 - dev-db/redis/files/redis-5.0-sharedlua.patch | 60 ---------- dev-db/redis/files/redis-sentinel.confd | 16 --- dev-db/redis/files/redis-sentinel.initd | 22 ---- dev-db/redis/files/redis.confd-r1 | 20 ---- dev-db/redis/files/redis.initd-5 | 25 ---- dev-db/redis/files/redis.service-3 | 14 --- dev-db/redis/files/redis.tmpfiles | 2 - dev-db/redis/redis-5.0.14.ebuild | 170 --------------------------- 9 files changed, 330 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bde898c8b53f0c35e30431177dd0036f7f19949f commit bde898c8b53f0c35e30431177dd0036f7f19949f Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2022-09-23 10:45:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-25 01:20:27 +0000 dev-db/redis: drop 6.2.6 Bug: https://bugs.gentoo.org/841404 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Closes: https://github.com/gentoo/gentoo/pull/27408 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 - dev-db/redis/files/redis-6.2.1-sharedlua.patch | 60 -------- dev-db/redis/redis-6.2.6.ebuild | 194 ------------------------- 3 files changed, 255 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f1f88154c6ed0311dacb5433296d5b424e8af78 commit 8f1f88154c6ed0311dacb5433296d5b424e8af78 Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2022-09-25 06:06:46 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-26 14:58:16 +0000 dev-db/redis: drop 6.0.16 The 6.0 line did not receive any fix in last 12 months, 6.0.16 potentially suffers with security issues and 6.2.7 should be sufficient replacement for those needing <dev-db/redis-7. Bug: https://bugs.gentoo.org/841404 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Closes: https://github.com/gentoo/gentoo/pull/27470 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 - dev-db/redis/files/redis-3.2.3-config.patch | 40 ----- dev-db/redis/files/redis-5.0-luajit-2.1-fix.patch | 47 ----- dev-db/redis/files/redis-5.0.8-ppc-atomic.patch | 19 -- dev-db/redis/files/redis-6.0.12-sharedlua.patch | 60 ------- dev-db/redis/redis-6.0.16.ebuild | 200 ---------------------- 6 files changed, 367 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3b83b8330073185fb5605b449ed900293d014aeb commit 3b83b8330073185fb5605b449ed900293d014aeb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:21:49 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:47:59 +0000 [ GLSA 202209-17 ] Redis: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803302 Bug: https://bugs.gentoo.org/816282 Bug: https://bugs.gentoo.org/841404 Bug: https://bugs.gentoo.org/856040 Bug: https://bugs.gentoo.org/859181 Bug: https://bugs.gentoo.org/872278 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-17.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+)
GLSA released, all done!