Security update for redis SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:0694-1 Final 1 1 2023-03-10T08:39:48Z current 2023-03-10T08:39:48Z 2023-03-10T08:39:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for redis This update for redis fixes the following issues: - CVE-2022-36021: Fixed integer overflow in RANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands (bsc#1208790). - CVE-2023-25155: Fixed integer Overflow in RAND commands can lead to assertion (bsc#1208793). The following non-security bug was fixed: - Fixed redis-sentinel not starting due to the hardening in the systemd service (bsc#1208235). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-694,SUSE-SLE-Module-Server-Applications-15-SP4-2023-694,openSUSE-SLE-15.4-2023-694 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20230694-1/ Link for SUSE-SU-2023:0694-1 https://lists.suse.com/pipermail/sle-security-updates/2023-March/014020.html E-Mail link for SUSE-SU-2023:0694-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1208235 SUSE Bug 1208235 https://bugzilla.suse.com/1208790 SUSE Bug 1208790 https://bugzilla.suse.com/1208793 SUSE Bug 1208793 https://www.suse.com/security/cve/CVE-2022-36021/ SUSE CVE CVE-2022-36021 page https://www.suse.com/security/cve/CVE-2023-25155/ SUSE CVE CVE-2023-25155 page SUSE Linux Enterprise Module for Server Applications 15 SP4 openSUSE Leap 15.4 redis-6.2.6-150400.3.16.1 redis-6.2.6-150400.3.16.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 redis-6.2.6-150400.3.16.1 as a component of openSUSE Leap 15.4 Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9. CVE-2022-36021 SUSE Linux Enterprise Module for Server Applications 15 SP4:redis-6.2.6-150400.3.16.1 openSUSE Leap 15.4:redis-6.2.6-150400.3.16.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230694-1/ https://www.suse.com/security/cve/CVE-2022-36021.html CVE-2022-36021 https://bugzilla.suse.com/1208790 SUSE Bug 1208790 https://bugzilla.suse.com/1208793 SUSE Bug 1208793 Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. This problem affects all Redis versions. Patches were released in Redis version(s) 6.0.18, 6.2.11 and 7.0.9. CVE-2023-25155 SUSE Linux Enterprise Module for Server Applications 15 SP4:redis-6.2.6-150400.3.16.1 openSUSE Leap 15.4:redis-6.2.6-150400.3.16.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230694-1/ https://www.suse.com/security/cve/CVE-2023-25155.html CVE-2023-25155 https://bugzilla.suse.com/1208790 SUSE Bug 1208790 https://bugzilla.suse.com/1208793 SUSE Bug 1208793