Accepting request 1098376 from home:dspinella:branches:server:database

- redis 7.0.12: * (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (bsc#1213193) * (CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules. (bsc#1213249) * Re-enable downscale rehashing while there is a fork child * Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count> * Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction * Fix WAIT to be effective after a blocked module command being unblocked * Avoid unnecessary full sync after master restart in a rare case OBS-URL: https://build.opensuse.org/request/show/1098376 OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=226
2023-07-12 16:56:39 +00:00 · 2023-07-12 16:56:39 +00:00 · ce9b309603
commit ce9b309603
parent 74bf12d703
5 changed files with 28 additions and 4 deletions
--- a/redis-7.0.11.tar.gz
+++ b/redis-7.0.11.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ce250d1fba042c613de38a15d40889b78f7cb6d5461a27e35017ba39b07221e3
-size 2988485
--- a/redis-7.0.12.tar.gz
+++ b/redis-7.0.12.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9dd83d5b278bb2bf0e39bfeb75c3e8170024edbaf11ba13b7037b2945cf48ab7
+size 2992216
--- a/redis.changes
+++ b/redis.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Wed Jul 12 14:10:43 UTC 2023 - Danilo Spinella <danilo.spinella@suse.com>
+
+- redis 7.0.12:
+  * (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
+    a heap overflow in the cjson and cmsgpack libraries, and result in heap
+    corruption and potentially remote code execution. The problem exists in all
+    versions of Redis with Lua scripting support, starting from 2.6, and affects
+    only authenticated and authorized users. (bsc#1213193)
+  * (CVE-2023-36824) Extracting key names from a command and a list of arguments
+    may, in some cases, trigger a heap overflow and result in reading random heap
+    memory, heap corruption and potentially remote code execution. Specifically:
+    using COMMAND GETKEYS* and validation of key names in ACL rules. (bsc#1213249)
+  * Re-enable downscale rehashing while there is a fork child
+  * Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count>
+  * Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER,
+    SPOP, and eviction
+  * Fix WAIT to be effective after a blocked module command being unblocked
+  * Avoid unnecessary full sync after master restart in a rare case
+
 -------------------------------------------------------------------
 Fri May 19 11:23:43 UTC 2023 - Jiri Srain <jsrain@suse.com>

--- a/redis.hashes
+++ b/redis.hashes
@ -159,3 +159,7 @@ hash redis-7.0.11.tar.gz sha256 ce250d1fba042c613de38a15d40889b78f7cb6d5461a27e3
 hash redis-6.2.12.tar.gz sha256 75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b http://download.redis.io/releases/redis-6.2.12.tar.gz
 hash redis-6.0.19.tar.gz sha256 55e26318c3d9c53a77a6e802f60524afdddd057a2e965cebcf781a0a72f0e3e6 http://download.redis.io/releases/redis-6.0.19.tar.gz
 hash redis-7.2-rc2.tar.gz sha256 4e075e79ad18f16c41e18b14ab60e1edfdb6633907fe9a39a34c62f4a758740b http://download.redis.io/releases/redis-7.2-rc2.tar.gz
+hash redis-6.0.20.tar.gz sha256 173d4c5f44b5d7186da96c4adc5cb20e8018b50ec3a8dfe0d191dbbab53952f0 http://download.redis.io/releases/redis-6.0.20.tar.gz
+hash redis-6.2.13.tar.gz sha256 89ff27c80d420456a721ccfb3beb7cc628d883c53059803513749e13214a23d1 http://download.redis.io/releases/redis-6.2.13.tar.gz
+hash redis-7.0.12.tar.gz sha256 9dd83d5b278bb2bf0e39bfeb75c3e8170024edbaf11ba13b7037b2945cf48ab7 http://download.redis.io/releases/redis-7.0.12.tar.gz
+hash redis-7.2-rc3.tar.gz sha256 4035e2b146ca1eb43b4188ca30a6d7be1a4d40ac2dfdf58db8f885517bbab41a http://download.redis.io/releases/redis-7.2-rc3.tar.gz
--- a/redis.spec
+++ b/redis.spec
@ -20,7 +20,7 @@
 %define _log_dir        %{_localstatedir}/log/%{name}
 %define _conf_dir       %{_sysconfdir}/%{name}
 Name:           redis
-Version:        7.0.11
+Version:        7.0.12
 Release:        0
 Summary:        Persistent key-value database
 License:        BSD-3-Clause