CVE-2023-28856: - The vulnerability allows a remote user to perform a denial of service (DoS) attack. - The vulnerability exists due to insufficient validation of user-supplied input. A remote user can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. Vulnerable software versions: Redis: 7.0.0 - 7.0.10, 6.2.0 - 6.2.11, 6.0.0 - 6.0.18
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be8427092e3c960201de183b937444f37fe5c300 commit be8427092e3c960201de183b937444f37fe5c300 Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2023-04-17 19:51:50 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-04-18 03:18:45 +0000 dev-db/redis: add 6.2.12 Bug: https://bugs.gentoo.org/904486 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Closes: https://github.com/gentoo/gentoo/pull/30634 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/redis-6.2.12.ebuild | 195 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 196 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4207f7226d49f596d2f934b58ea02e7a7726ccd2 commit 4207f7226d49f596d2f934b58ea02e7a7726ccd2 Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2023-04-17 19:42:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-04-18 03:18:45 +0000 dev-db/redis: add 7.0.11 This version fixes crash with FORTIFY_SOURCE=3 in commit 863fcfbf525f ("Use dummy allocator to make accesses defined as per standard (#11982)") and mitigates CVE-2023-28856. Bug: https://bugs.gentoo.org/904486 Closes: https://bugs.gentoo.org/903253 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/redis-7.0.11.ebuild | 187 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=218682a12e5fc6cb8ca1052687aaf19180093122 commit 218682a12e5fc6cb8ca1052687aaf19180093122 Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2023-07-15 07:53:24 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-07-25 04:56:27 +0000 dev-db/redis: drop 7.0.10 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Signed-off-by: John Helmert III <ajak@gentoo.org> dev-db/redis/Manifest | 1 - dev-db/redis/redis-7.0.10.ebuild | 187 --------------------------------------- 2 files changed, 188 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40f0aeee0d9ab31c81a869f258821733048f7423 commit 40f0aeee0d9ab31c81a869f258821733048f7423 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-01-09 14:12:04 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-01-09 14:23:54 +0000 dev-db/redis: drop versions This commit drops most of vulnerable versions, however, security cleanups are still blocked because of 7.0.5 which is the last stable version for arm. Bug: https://bugs.gentoo.org/891169 Bug: https://bugs.gentoo.org/898464 Bug: https://bugs.gentoo.org/902501 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Bug: https://bugs.gentoo.org/913741 Bug: https://bugs.gentoo.org/915989 Bug: https://bugs.gentoo.org/921662 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/Manifest | 7 - dev-db/redis/files/redis-6.2.7-cve-2022-3647.patch | 173 ------------------ dev-db/redis/redis-6.2.11.ebuild | 195 -------------------- dev-db/redis/redis-6.2.13.ebuild | 195 -------------------- dev-db/redis/redis-6.2.7-r2.ebuild | 198 -------------------- dev-db/redis/redis-7.0.12.ebuild | 187 ------------------- dev-db/redis/redis-7.0.13.ebuild | 187 ------------------- dev-db/redis/redis-7.0.9.ebuild | 187 ------------------- dev-db/redis/redis-7.2.2.ebuild | 200 --------------------- 9 files changed, 1529 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a7e6b8769400cbbd7e4f3161d8c7dfdd62af8af commit 3a7e6b8769400cbbd7e4f3161d8c7dfdd62af8af Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-01-10 10:05:04 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-01-10 10:16:11 +0000 dev-db/redis: destabilize 7.0.5-r1 for ~arm Dropping the stable keyword for arm architecture due to a lack of security stabilization for over a year. Bug: https://bugs.gentoo.org/891169 Bug: https://bugs.gentoo.org/898464 Bug: https://bugs.gentoo.org/902501 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Bug: https://bugs.gentoo.org/913741 Bug: https://bugs.gentoo.org/915548#c6 Bug: https://bugs.gentoo.org/915989 Bug: https://bugs.gentoo.org/918847 Bug: https://bugs.gentoo.org/921662 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/redis-7.0.5-r1.ebuild | 4 ++-- profiles/arch/arm/package.use.stable.mask | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8942d96c5ff1a45db0922d9e5e4403b050494bf6 commit 8942d96c5ff1a45db0922d9e5e4403b050494bf6 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-01-10 12:25:59 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-01-10 12:27:32 +0000 dev-db/redis: drop 7.0.5-r1 Bug: https://bugs.gentoo.org/891169 Bug: https://bugs.gentoo.org/898464 Bug: https://bugs.gentoo.org/902501 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Bug: https://bugs.gentoo.org/913741 Bug: https://bugs.gentoo.org/915989 Bug: https://bugs.gentoo.org/921662 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/Manifest | 1 - .../files/redis-7.0.4-replica-tests-fix.patch | 61 ------- dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch | 173 ------------------- dev-db/redis/redis-7.0.5-r1.ebuild | 191 --------------------- 4 files changed, 426 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=bbba9c645e3767933f8d769ab743fca8728487ab commit bbba9c645e3767933f8d769ab743fca8728487ab Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-07 06:33:13 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-07 06:33:27 +0000 [ GLSA 202408-05 ] Redis: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/891169 Bug: https://bugs.gentoo.org/898464 Bug: https://bugs.gentoo.org/902501 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Bug: https://bugs.gentoo.org/913741 Bug: https://bugs.gentoo.org/915989 Bug: https://bugs.gentoo.org/921662 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-05.xml | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+)
