Bug 276255 - databases/redis{,70}: update to 7.2.4, 7.0.15 with fix CVE-2023-41056
Summary: databases/redis{,70}: update to 7.2.4, 7.0.15 with fix CVE-2023-41056
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Vladimir Druzenko
URL: https://github.com/redis/redis/releas...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-11 08:43 UTC by Vladimir Druzenko
Modified: 2024-01-28 21:09 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (yasu)


Attachments
update to 7.2.4 (813 bytes, patch)
2024-01-11 09:14 UTC, Vladimir Druzenko
vvd: maintainer-approval?
Details | Diff
update redis70 to 7.0.15 (852 bytes, patch)
2024-01-22 19:35 UTC, Vladimir Druzenko
vvd: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Druzenko freebsd_committer freebsd_triage 2024-01-11 08:43:04 UTC
Security fixes
 * (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory
 * buffers which can result in incorrect accounting of buffer sizes and lead to
 * heap overflow and potential remote code execution.

Bug fixes
 * Fix crashes of cluster commands clusters with mixed versions of 7.0 and 7.2 (#12805, #12832)
 * Fix slot ownership not being properly handled when deleting a slot from a node (#12564)
 * Fix atomicity issues with the RedisModuleEvent_Key module API event (#12733)

If you want I can create patch.
Comment 1 Vladimir Druzenko freebsd_committer freebsd_triage 2024-01-11 09:14:33 UTC
Created attachment 247590 [details]
update to 7.2.4

7.0.15 released too with fix for same CVE.
Comment 2 Vladimir Druzenko freebsd_committer freebsd_triage 2024-01-20 10:31:02 UTC
Using 7.2.4 ~9 days on 2 hosts for GitLab and 2 for Nextcloud.

Waiting maintainer timeout for commit…
Comment 3 Vladimir Druzenko freebsd_committer freebsd_triage 2024-01-22 19:35:43 UTC
Created attachment 247854 [details]
update redis70 to 7.0.15

Tested build in poudriere 13.2-p9 amd64 only.
Comment 4 Dima Panov freebsd_committer freebsd_triage 2024-01-22 22:02:43 UTC
(In reply to Vladimir Druzenko from comment #3)
please prepare vuxml entry too

Dima, on behalf of ports-secteam
Comment 5 Vladimir Druzenko freebsd_committer freebsd_triage 2024-01-26 15:59:27 UTC
(In reply to Dima Panov from comment #4)
I don't know how to do this correct.
Comment 6 Vladimir Druzenko freebsd_committer freebsd_triage 2024-01-27 13:14:58 UTC
Maintainer timeout?
Comment 7 commit-hook freebsd_committer freebsd_triage 2024-01-28 21:06:30 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7bb0b75a6693d2dd9c39468bdc2392598632d0da

commit 7bb0b75a6693d2dd9c39468bdc2392598632d0da
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2024-01-28 20:39:34 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-01-28 21:04:11 +0000

    databases/redis: update to 7.2.4 with fix CVE-2023-41056

    Security fixes:
    * (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory
      buffers which can result in incorrect accounting of buffer sizes and lead to
      heap overflow and potential remote code execution.
    Bug fixes:
    * Fix crashes of cluster commands clusters with mixed versions of 7.0 and 7.2 (#12805, #12832)
    * Fix slot ownership not being properly handled when deleting a slot from a node (#12564)
    * Fix atomicity issues with the RedisModuleEvent_Key module API event (#12733)
    Changelog: https://github.com/redis/redis/releases/tag/7.2.4

    PR:             276255
    Approved by:    yasu (maintainer, timeout > 14 days), arrowd (mentor)
    MFH:            2024Q1

 databases/redis/Makefile | 2 +-
 databases/redis/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 8 commit-hook freebsd_committer freebsd_triage 2024-01-28 21:06:32 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5c3342ecd87633f163ac3410dd8cb2809c74d623

commit 5c3342ecd87633f163ac3410dd8cb2809c74d623
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2024-01-28 21:02:58 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-01-28 21:04:11 +0000

    databases/redis70: update to 7.0.15 with fix CVE-2023-41056

    Security fixes:
    * (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory
      buffers which can result in incorrect accounting of buffer sizes and lead to
      heap overflow and potential remote code execution.
    Changelog: https://github.com/redis/redis/releases/tag/7.0.15

    PR:             276255
    Approved by:    yasu (maintainer, timeout > 14 days), arrowd (mentor)
    MFH:            2024Q1

 databases/redis70/Makefile | 2 +-
 databases/redis70/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 9 commit-hook freebsd_committer freebsd_triage 2024-01-28 21:08:33 UTC
A commit in branch 2024Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=56503dd0d75b7315d88c33263452635b88974a61

commit 56503dd0d75b7315d88c33263452635b88974a61
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2024-01-28 21:02:58 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-01-28 21:07:22 +0000

    databases/redis70: update to 7.0.15 with fix CVE-2023-41056

    Security fixes:
    * (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory
      buffers which can result in incorrect accounting of buffer sizes and lead to
      heap overflow and potential remote code execution.
    Changelog: https://github.com/redis/redis/releases/tag/7.0.15

    PR:             276255
    Approved by:    yasu (maintainer, timeout > 14 days), arrowd (mentor)
    MFH:            2024Q1

    (cherry picked from commit 5c3342ecd87633f163ac3410dd8cb2809c74d623)

 databases/redis70/Makefile | 2 +-
 databases/redis70/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 10 commit-hook freebsd_committer freebsd_triage 2024-01-28 21:08:34 UTC
A commit in branch 2024Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ea7e89174a9c3a095dfe4dd44e27f028454eb5a9

commit ea7e89174a9c3a095dfe4dd44e27f028454eb5a9
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2024-01-28 20:39:34 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-01-28 21:07:05 +0000

    databases/redis: update to 7.2.4 with fix CVE-2023-41056

    Security fixes:
    * (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory
      buffers which can result in incorrect accounting of buffer sizes and lead to
      heap overflow and potential remote code execution.
    Bug fixes:
    * Fix crashes of cluster commands clusters with mixed versions of 7.0 and 7.2 (#12805, #12832)
    * Fix slot ownership not being properly handled when deleting a slot from a node (#12564)
    * Fix atomicity issues with the RedisModuleEvent_Key module API event (#12733)
    Changelog: https://github.com/redis/redis/releases/tag/7.2.4

    PR:             276255
    Approved by:    yasu (maintainer, timeout > 14 days), arrowd (mentor)
    MFH:            2024Q1

    (cherry picked from commit 7bb0b75a6693d2dd9c39468bdc2392598632d0da)

 databases/redis/Makefile | 2 +-
 databases/redis/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)