{"affected":[{"ecosystem_specific":{"binaries":[{"redis":"6.0.13-lp152.2.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.2","name":"redis","purl":"pkg:rpm/opensuse/redis&distro=openSUSE%20Leap%2015.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"6.0.13-lp152.2.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for redis fixes the following issues:\n\nredis 6.0.13\n\n* CVE-2021-29477: Integer overflow in STRALGO LCS command (boo#1185729)\n* CVE-2021-29478: Integer overflow in COPY command for large intsets (boo#1185730)\n* Cluster: Skip unnecessary check which may prevent failure detection\n* Fix performance regression in BRPOP on Redis 6.0\n* Fix edge-case when a module client is unblocked\n\nredis 6.0.12:\n\n* Fix compilation error on non-glibc systems if jemalloc is not used\n\nredis 6.0.11:\n\n* CVE-2021-21309: Avoid 32-bit overflows when proto-max-bulk-len\n  is set high (boo#1182657)\n* Fix handling of threaded IO and CLIENT PAUSE (failover), could\n  lead to data loss or a crash\n* Fix the selection of a random element from large hash tables\n* Fix broken protocol in client tracking tracking-redir-broken message\n* XINFO able to access expired keys on a replica\n* Fix broken protocol in redis-benchmark when used with -a or --dbnum \n* Avoid assertions (on older kernels) when testing arm64 CoW bug\n* CONFIG REWRITE should honor umask settings\n* Fix firstkey,lastkey,step in COMMAND command for some commands\n* RM_ZsetRem: Delete key if empty, the bug could leave empty\n  zset keys \n\nredis 6.0.10:\n\nCommand behavior changes:\n\n* SWAPDB invalidates WATCHed keys (#8239)\n* SORT command behaves differently when used on a writable replica (#8283)\n* EXISTS should not alter LRU (#8016)\n  In Redis 5.0 and 6.0 it would have touched the LRU/LFU of the key.\n* OBJECT should not reveal logically expired keys (#8016)\n  Will now behave the same TYPE or any other non-DEBUG command.\n* GEORADIUS[BYMEMBER] can fail with -OOM if Redis is over the memory limit (#8107)\n\nOther behavior changes:\n\n* Sentinel: Fix missing updates to the config file after SENTINEL SET command (#8229)\n* CONFIG REWRITE is atomic and safer, but requires write access to the config file's folder (#7824, #8051)\n  This change was already present in 6.0.9, but was missing from the release notes.\n\nBug fixes with compatibility implications (bugs introduced in Redis 6.0):\n\n* Fix RDB CRC64 checksum on big-endian systems (#8270)\n  If you're using big-endian please consider the compatibility implications with\n  RESTORE, replication and persistence.\n* Fix wrong order of key/value in Lua's map response (#8266)\n  If your scripts use redis.setresp() or return a map (new in Redis 6.0), please\n  consider the implications.\n\nBug fixes:\n\n* Fix an issue where a forked process deletes the parent's pidfile (#8231)\n* Fix crashes when enabling io-threads-do-reads (#8230)\n* Fix a crash in redis-cli after executing cluster backup (#8267)\n* Handle output buffer limits for module blocked clients (#8141)\n  Could result in a module sending reply to a blocked client to go beyond the limit.\n* Fix setproctitle related crashes. (#8150, #8088)\n  Caused various crashes on startup, mainly on Apple M1 chips or under instrumentation.\n* Backup/restore cluster mode keys to slots map for repl-diskless-load=swapdb (#8108)\n  In cluster mode with repl-diskless-load, when loading failed, slot map wouldn't\n  have been restored.\n* Fix oom-score-adj-values range, and bug when used in config file (#8046)\n  Enabling setting this in the config file in a line after enabling it, would\n  have been buggy.\n* Reset average ttl when empty databases (#8106)\n  Just causing misleading metric in INFO\n* Disable rehash when Redis has child process (#8007)\n  This could have caused excessive CoW during BGSAVE, replication or AOFRW.\n* Further improved ACL algorithm for picking categories (#7966)\n  Output of ACL GETUSER is now more similar to the one provided by ACL SETUSER.\n* Fix bug with module GIL being released prematurely (#8061)\n  Could in theory (and rarely) cause multi-threaded modules to corrupt memory.\n* Reduce effect of client tracking causing feedback loop in key eviction (#8100)\n* Fix cluster access to unaligned memory (SIGBUS on old ARM) (#7958)\n* Fix saving of strings larger than 2GB into RDB files (#8306)\n\nAdditional improvements:\n\n* Avoid wasteful transient memory allocation in certain cases (#8286, #5954)\n\nPlatform / toolchain support related improvements:\n\n* Fix crash log registers output on ARM. (#8020)\n* Add a check for an ARM64 Linux kernel bug (#8224)\n  Due to the potential severity of this issue, Redis will print log warning on startup.\n* Raspberry build fix. (#8095)\n\nNew configuration options:\n\n* oom-score-adj-values config can now take absolute values (besides relative ones) (#8046)\n\nModule related fixes:\n\n* Moved RMAPI_FUNC_SUPPORTED so that it's usable (#8037)\n* Improve timer accuracy (#7987)\n* Allow '\\0' inside of result of RM_CreateStringPrintf (#6260)\n\nredis 6.0.9:\n\n* potential heap overflow when using a heap allocator other\n  than jemalloc or glibc's malloc. Does not affect the openSUSE\n  package - boo#1178205 \n* Memory reporting of clients argv\n* Add redis-cli control on raw format line delimiter\n* Add redis-cli support for rediss:// -u prefix\n* WATCH no longer ignores keys which have expired for MULTI/EXEC\n* Correct OBJECT ENCODING response for stream type\n* Allow blocked XREAD on a cluster replica\n* TLS: Do not require CA config if not used\n* multiple bug fixes\n* Additions to modules API\n\nredis 6.0.8 (jsc#PM-1615, jsc#PM-1622, jsc#PM-1681, jsc#ECO-2417, jsc#ECO-2867, jsc#PM-1547, jsc#CAPS-56, jsc#SLE-11578, jsc#SLE-12821):\n\n* bug fixes when using with Sentinel\n* bug fixes when using CONFIG REWRITE\n* Remove THP warning when set to madvise\n* Allow EXEC with read commands on readonly replica in cluster\n* Add masters/replicas options to redis-cli --cluster call command\n- includes changes from 6.0.7:\n* CONFIG SET could hung the client when arrives during RDB/ROF\n  loading\n* LPOS command when RANK is greater than matches responded with\n  broken protocol\n* Add oom-score-adj configuration option to control Linux OOM\n  killer\n* Show IO threads statistics and status in INFO output\n* Add optional tls verification mode (see tls-auth-clients)\n\nredis 6.0.6:\n\n* Fix crash when enabling CLIENT TRACKING with prefix\n* EXEC always fails with EXECABORT and multi-state is cleared\n* RESTORE ABSTTL won't store expired keys into the db\n* redis-cli better handling of non-pritable key names\n* TLS: Ignore client cert when tls-auth-clients off\n* Tracking: fix invalidation message on flush\n* Notify systemd on Sentinel startup\n* Fix crash on a misuse of STRALGO\n* Few fixes in module API\n* Fix a few rare leaks (STRALGO error misuse, Sentinel)\n* Fix a possible invalid access in defrag of scripts\n* Add LPOS command to search in a list\n* Use user+pass for MIGRATE in redis-cli and redis-benchmark in\n  cluster mode\n* redis-cli support TLS for --pipe, --rdb and --replica options\n* TLS: Session caching configuration support\n\nredis 6.0.5:\n\n* Fix handling of speical chars in ACL LOAD\n* Make Redis Cluster more robust about operation errors that may\n  lead to two clusters to mix together\n* Revert the sendfile() implementation of RDB transfer\n* Fix TLS certificate loading for chained certificates\n* Fix AOF rewirting of KEEPTTL SET option\n* Fix MULTI/EXEC behavior during -BUSY script errors\n","id":"openSUSE-SU-2021:0682-1","modified":"2021-05-07T18:41:45Z","published":"2021-05-07T18:41:45Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Z32YY6DUIFNGIYRC6JPVBZ2WTPYN5SOY/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1178205"},{"type":"REPORT","url":"https://bugzilla.suse.com/1182657"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185729"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185730"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-21309"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-29477"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-29478"}],"related":["CVE-2021-21309","CVE-2021-29477","CVE-2021-29478"],"summary":"Security update for redis","upstream":["CVE-2021-21309","CVE-2021-29477","CVE-2021-29478"]}