Accepting request 973269 from home:AndreasStieger:branches:server:database

redis 6.2.7 CVE-2022-24736 boo#1198953 CVE-2022-24735 boo#1198952 OBS-URL: https://build.opensuse.org/request/show/973269 OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=188
2022-04-28 06:51:05 +00:00 · 2022-04-28 06:51:05 +00:00 · 4c926e08c4
commit 4c926e08c4
parent 430cbb6739
5 changed files with 30 additions and 5 deletions
--- a/redis-6.2.6.tar.gz
+++ b/redis-6.2.6.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5b2b8b7a50111ef395bf1c1d5be11e6e167ac018125055daa8b5c2317ae131ab
-size 2476542
--- a/redis-6.2.7.tar.gz
+++ b/redis-6.2.7.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b7a79cc3b46d3c6eb52fa37dde34a4a60824079ebdfb3abfbbfa035947c55319
+size 2487287
--- a/redis.changes
+++ b/redis.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Wed Apr 27 21:17:06 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- redis 6.2.7:
+  * CVE-2022-24736: An attacker attempting to load a specially
+    crafted Lua script can cause NULL pointer dereference which
+    will result with a crash of the redis-server process
+    (boo#1198953)
+  * CVE-2022-24735: By exploiting weaknesses in the Lua script
+    execution environment, an attacker with access to Redis can
+    inject Lua code that will execute with the (potentially higher)
+    privileges of another Redis user (boo#1198952)
+  * LPOP/RPOP with count against non-existing list return null array
+  * LPOP/RPOP used to produce wrong replies when count is 0
+  * Speed optimization in command execution pipeline
+  * Fix regression in Z[REV]RANGE commands (by-rank) introduced in
+    Redis 6.2
+  * Fix OpenSSL 3.0.x related issues
+  * Bug fixes
+
 -------------------------------------------------------------------
 Mon Nov 15 12:57:13 UTC 2021 - Johannes Segitz <jsegitz@suse.com>

--- a/redis.hashes
+++ b/redis.hashes
@ -133,3 +133,8 @@ hash redis-6.2.5.tar.gz sha256 4b9a75709a1b74b3785e20a6c158cab94cf52298aa381eea9
 hash redis-5.0.14.tar.gz sha256 3ea5024766d983249e80d4aa9457c897a9f079957d0fb1f35682df233f997f32 http://download.redis.io/releases/redis-5.0.14.tar.gz
 hash redis-6.0.16.tar.gz sha256 3639bbf29aca1a1670de1ab2ce224d6511c63969e7e590d3cdf8f7888184fa19 http://download.redis.io/releases/redis-6.0.16.tar.gz
 hash redis-6.2.6.tar.gz sha256 5b2b8b7a50111ef395bf1c1d5be11e6e167ac018125055daa8b5c2317ae131ab http://download.redis.io/releases/redis-6.2.6.tar.gz
+hash redis-7.0-rc1.tar.gz sha256 9bd57d3c9ebba9dbbd6cd14b0c263ce151b0044fb6620b556449c2d82e06ef3d http://download.redis.io/releases/redis-7.0-rc1.tar.gz
+hash redis-7.0-rc2.tar.gz sha256 ee41f5a9f459b44baefbc021cf5096440f346f3c5fc8a1979a877a2f10603ca3 http://download.redis.io/releases/redis-7.0-rc2.tar.gz
+hash redis-7.0-rc3.tar.gz sha256 66b2ecc2e4b53c62940589434ea8af3a85546df131001680ed294028cd84ecdc http://download.redis.io/releases/redis-7.0-rc3.tar.gz
+hash redis-6.2.7.tar.gz sha256 b7a79cc3b46d3c6eb52fa37dde34a4a60824079ebdfb3abfbbfa035947c55319 http://download.redis.io/releases/redis-6.2.7.tar.gz
+hash redis-7.0.0.tar.gz sha256 284d8bd1fd85d6a55a05ee4e7c31c31977ad56cbf344ed83790beeb148baa720 http://download.redis.io/releases/redis-7.0.0.tar.gz
--- a/redis.spec
+++ b/redis.spec
@ -1,7 +1,7 @@
 #
 # spec file for package redis
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -20,7 +20,7 @@
 %define _log_dir        %{_localstatedir}/log/%{name}
 %define _conf_dir       %{_sysconfdir}/%{name}
 Name:           redis
-Version:        6.2.6
+Version:        6.2.7
 Release:        0
 Summary:        Persistent key-value database
 License:        BSD-3-Clause