git: 84029f184f27 - main - security/vuxml: document multiple issue with databases/redis{,5,6}
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 05 Oct 2021 13:28:58 UTC
The branch main has been updated by osa:
URL: https://cgit.FreeBSD.org/ports/commit/?id=84029f184f27ec93364bbb4d04ddcf1bfc869d70
commit 84029f184f27ec93364bbb4d04ddcf1bfc869d70
Author: Sergey A. Osokin <osa@FreeBSD.org>
AuthorDate: 2021-10-05 13:28:13 +0000
Commit: Sergey A. Osokin <osa@FreeBSD.org>
CommitDate: 2021-10-05 13:28:13 +0000
security/vuxml: document multiple issue with databases/redis{,5,6}
PR: 258935
---
security/vuxml/vuln-2021.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 82 insertions(+)
diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
index dc5e49a62c81..710fc2b8a7f1 100644
--- a/security/vuxml/vuln-2021.xml
+++ b/security/vuxml/vuln-2021.xml
@@ -57,6 +57,88 @@
</dates>
</vuln>
+ <vuln vid="9b4806c1-257f-11ec-9db5-0800270512f4">
+ <topic>redis -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>redis</name>
+ <range><lt>6.2.6</lt></range>
+ </package>
+ <package>
+ <name>redis6</name>
+ <range><lt>6.0.16</lt></range>
+ </package>
+ <package>
+ <name>redis5</name>
+ <range><lt>5.0.14</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Redis Team reports:</p>
+ <blockquote cite="https://groups.google.com/g/redis-db/c/GS_9L2KCk9g/m/Q7ZN1R1cDAAJ">
+ <dl>
+ <dt>CVE-2021-41099</dt>
+ <dd>
+ Integer to heap buffer overflow handling certain string commands
+ and network payloads, when proto-max-bulk-len is manually configured.
+ </dd>
+ <dt>CVE-2021-32762</dt>
+ <dd>
+ Integer to heap buffer overflow issue in redis-cli and redis-sentinel
+ parsing large multi-bulk replies on some older and less common platforms.
+ </dd>
+ <dt>CVE-2021-32687</dt>
+ <dd>
+ Integer to heap buffer overflow with intsets, when set-max-intset-entries
+ is manually configured to a non-default, very large value.
+ </dd>
+ <dt>CVE-2021-32675</dt>
+ <dd>
+ Denial Of Service when processing RESP request payloads with a large
+ number of elements on many connections.
+ </dd>
+ <dt>CVE-2021-32672</dt>
+ <dd>
+ Random heap reading issue with Lua Debugger.
+ </dd>
+ <dt>CVE-2021-32628</dt>
+ <dd>
+ Integer to heap buffer overflow handling ziplist-encoded data types,
+ when configuring a large, non-default value for hash-max-ziplist-entries,
+ hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value.
+ </dd>
+ <dt>CVE-2021-32627</dt>
+ <dd>
+ Integer to heap buffer overflow issue with streams, when configuring
+ a non-default, large value for proto-max-bulk-len and
+ client-query-buffer-limit.
+ </dd>
+ <dt>CVE-2021-32626</dt>
+ <dd>
+ Specially crafted Lua scripts may result with Heap buffer overflow.
+ </dd>
+ </dl>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-41099</cvename>
+ <cvename>CVE-2021-32762</cvename>
+ <cvename>CVE-2021-32687</cvename>
+ <cvename>CVE-2021-32675</cvename>
+ <cvename>CVE-2021-32672</cvename>
+ <cvename>CVE-2021-32628</cvename>
+ <cvename>CVE-2021-32627</cvename>
+ <cvename>CVE-2021-32626</cvename>
+ <url>https://groups.google.com/g/redis-db/c/GS_9L2KCk9g</url>
+ </references>
+ <dates>
+ <discovery>2021-10-04</discovery>
+ <entry>2021-10-05</entry>
+ </dates>
+ </vuln>
+
<vuln vid="f84ab297-2285-11ec-9e79-08002789875b">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>