Security fixes * (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory * buffers which can result in incorrect accounting of buffer sizes and lead to * heap overflow and potential remote code execution. Bug fixes * Fix crashes of cluster commands clusters with mixed versions of 7.0 and 7.2 (#12805, #12832) * Fix slot ownership not being properly handled when deleting a slot from a node (#12564) * Fix atomicity issues with the RedisModuleEvent_Key module API event (#12733) If you want I can create patch.
Created attachment 247590 [details] update to 7.2.4 7.0.15 released too with fix for same CVE.
Using 7.2.4 ~9 days on 2 hosts for GitLab and 2 for Nextcloud. Waiting maintainer timeout for commit…
Created attachment 247854 [details] update redis70 to 7.0.15 Tested build in poudriere 13.2-p9 amd64 only.
(In reply to Vladimir Druzenko from comment #3) please prepare vuxml entry too Dima, on behalf of ports-secteam
(In reply to Dima Panov from comment #4) I don't know how to do this correct.
Maintainer timeout?
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7bb0b75a6693d2dd9c39468bdc2392598632d0da commit 7bb0b75a6693d2dd9c39468bdc2392598632d0da Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2024-01-28 20:39:34 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-01-28 21:04:11 +0000 databases/redis: update to 7.2.4 with fix CVE-2023-41056 Security fixes: * (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution. Bug fixes: * Fix crashes of cluster commands clusters with mixed versions of 7.0 and 7.2 (#12805, #12832) * Fix slot ownership not being properly handled when deleting a slot from a node (#12564) * Fix atomicity issues with the RedisModuleEvent_Key module API event (#12733) Changelog: https://github.com/redis/redis/releases/tag/7.2.4 PR: 276255 Approved by: yasu (maintainer, timeout > 14 days), arrowd (mentor) MFH: 2024Q1 databases/redis/Makefile | 2 +- databases/redis/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=5c3342ecd87633f163ac3410dd8cb2809c74d623 commit 5c3342ecd87633f163ac3410dd8cb2809c74d623 Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2024-01-28 21:02:58 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-01-28 21:04:11 +0000 databases/redis70: update to 7.0.15 with fix CVE-2023-41056 Security fixes: * (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution. Changelog: https://github.com/redis/redis/releases/tag/7.0.15 PR: 276255 Approved by: yasu (maintainer, timeout > 14 days), arrowd (mentor) MFH: 2024Q1 databases/redis70/Makefile | 2 +- databases/redis70/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch 2024Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=56503dd0d75b7315d88c33263452635b88974a61 commit 56503dd0d75b7315d88c33263452635b88974a61 Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2024-01-28 21:02:58 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-01-28 21:07:22 +0000 databases/redis70: update to 7.0.15 with fix CVE-2023-41056 Security fixes: * (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution. Changelog: https://github.com/redis/redis/releases/tag/7.0.15 PR: 276255 Approved by: yasu (maintainer, timeout > 14 days), arrowd (mentor) MFH: 2024Q1 (cherry picked from commit 5c3342ecd87633f163ac3410dd8cb2809c74d623) databases/redis70/Makefile | 2 +- databases/redis70/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch 2024Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ea7e89174a9c3a095dfe4dd44e27f028454eb5a9 commit ea7e89174a9c3a095dfe4dd44e27f028454eb5a9 Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2024-01-28 20:39:34 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-01-28 21:07:05 +0000 databases/redis: update to 7.2.4 with fix CVE-2023-41056 Security fixes: * (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution. Bug fixes: * Fix crashes of cluster commands clusters with mixed versions of 7.0 and 7.2 (#12805, #12832) * Fix slot ownership not being properly handled when deleting a slot from a node (#12564) * Fix atomicity issues with the RedisModuleEvent_Key module API event (#12733) Changelog: https://github.com/redis/redis/releases/tag/7.2.4 PR: 276255 Approved by: yasu (maintainer, timeout > 14 days), arrowd (mentor) MFH: 2024Q1 (cherry picked from commit 7bb0b75a6693d2dd9c39468bdc2392598632d0da) databases/redis/Makefile | 2 +- databases/redis/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)