From https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES: ================================================================================ Redis 7.0.4 Released Monday Jul 18 12:00:00 IST 2022 ================================================================================ Upgrade urgency: SECURITY, contains fixes to security issues. Security Fixes: * (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream key in a specific state may result with heap overflow, and potentially remote code execution. The problem affects Redis versions 7.0.0 or newer.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e26f3cfacab6d82c401e7ca113d9210360c59fec commit e26f3cfacab6d82c401e7ca113d9210360c59fec Author: Sam James <sam@gentoo.org> AuthorDate: 2022-07-18 23:32:27 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-07-18 23:32:34 +0000 dev-db/redis: add 7.0.4 Bug: https://bugs.gentoo.org/859181 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/files/redis-7.0.4-no-which.patch | 66 +++++++++ dev-db/redis/redis-7.0.4.ebuild | 187 ++++++++++++++++++++++++++ 3 files changed, 254 insertions(+)
This seems to be pretty severe. New version works for me, should we stabilize? The diff between 7.0.3 (which is one week in the tree) and 7.0.4 is pretty small, basically just one line of source code changed, test adaptation plus few more lines related to a release.
Sure let's stabilize and clean up some old versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=638debda0bd03affa738c15bc57710d425734a23 commit 638debda0bd03affa738c15bc57710d425734a23 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-07-26 04:25:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-07-26 04:25:21 +0000 dev-db/redis: drop 7.0.1-r1, 7.0.2, 7.0.3 Bug: https://bugs.gentoo.org/859181 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 3 - dev-db/redis/redis-7.0.1-r1.ebuild | 186 ------------------------------------- dev-db/redis/redis-7.0.2.ebuild | 186 ------------------------------------- dev-db/redis/redis-7.0.3.ebuild | 186 ------------------------------------- 4 files changed, 561 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3b83b8330073185fb5605b449ed900293d014aeb commit 3b83b8330073185fb5605b449ed900293d014aeb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:21:49 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:47:59 +0000 [ GLSA 202209-17 ] Redis: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803302 Bug: https://bugs.gentoo.org/816282 Bug: https://bugs.gentoo.org/841404 Bug: https://bugs.gentoo.org/856040 Bug: https://bugs.gentoo.org/859181 Bug: https://bugs.gentoo.org/872278 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-17.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+)
GLSA released, all done!