Security update for redis

Announcement ID:	SUSE-SU-2021:1652-1
Rating:	important
References:	bsc#1182657 bsc#1185729 bsc#1185730
Cross-References:	CVE-2021-21309 CVE-2021-29477 CVE-2021-29478
CVSS scores:	CVE-2021-21309 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-21309 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29477 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29477 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29478 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29478 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Server Applications Module 15-SP2 Server Applications Module 15-SP3 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.1 SUSE Manager Server 4.2

An update that solves three vulnerabilities can now be installed.

Description:

This update for redis fixes the following issues:

redis was updated to 6.0.13:

• CVE-2021-29477: Integer overflow in STRALGO LCS command (bsc#1185729)
• CVE-2021-29478: Integer overflow in COPY command for large intsets (bsc#1185730)
• Cluster: Skip unnecessary check which may prevent failure detection
• Fix performance regression in BRPOP on Redis 6.0
• Fix edge-case when a module client is unblocked

redis 6.0.12:

• Fix compilation error on non-glibc systems if jemalloc is not used

redis 6.0.11:

• CVE-2021-21309: Avoid 32-bit overflows when proto-max-bulk-len is set high (bsc#1182657)
• Fix handling of threaded IO and CLIENT PAUSE (failover), could lead to data loss or a crash
• Fix the selection of a random element from large hash tables
• Fix broken protocol in client tracking tracking-redir-broken message
• XINFO able to access expired keys on a replica
• Fix broken protocol in redis-benchmark when used with -a or --dbnum
• Avoid assertions (on older kernels) when testing arm64 CoW bug
• CONFIG REWRITE should honor umask settings
• Fix firstkey,lastkey,step in COMMAND command for some commands

• RM_ZsetRem: Delete key if empty, the bug could leave empty zset keys

• Switch systemd type of the sentinel service from notify to simple. This can be reverted when updating to 6.2 which fixes https://github.com/redis/redis/issues/7284 .

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1652=1
• Server Applications Module 15-SP3
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-1652=1

Package List:

• Server Applications Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • redis-debuginfo-6.0.13-1.10.1
  • redis-debugsource-6.0.13-1.10.1
  • redis-6.0.13-1.10.1
• Server Applications Module 15-SP3 (aarch64 ppc64le s390x x86_64)
  • redis-debuginfo-6.0.13-1.10.1
  • redis-debugsource-6.0.13-1.10.1
  • redis-6.0.13-1.10.1

References:

• https://www.suse.com/security/cve/CVE-2021-21309.html
• https://www.suse.com/security/cve/CVE-2021-29477.html
• https://www.suse.com/security/cve/CVE-2021-29478.html
• https://bugzilla.suse.com/show_bug.cgi?id=1182657
• https://bugzilla.suse.com/show_bug.cgi?id=1185729
• https://bugzilla.suse.com/show_bug.cgi?id=1185730