UbuntuUpdates.org

Package "redis-server"

Name: redis-server

Description:

Persistent key-value database with network interface

Latest version: 2:3.0.6-1ubuntu0.4
Release: xenial (16.04)
Level: updates
Repository: universe
Head package: redis
Homepage: http://redis.io/

Links


Download "redis-server"


Other versions of "redis-server" in Xenial

Repository Area Version
base universe 2:3.0.6-1
security universe 2:3.0.6-1ubuntu0.4

Changelog

Version: 2:3.0.6-1ubuntu0.4 2019-07-16 15:07:05 UTC

  redis (2:3.0.6-1ubuntu0.4) xenial-security; urgency=medium

  * SECURITY UPDATE: heap buffer overflows in Hyperloglog (Closes: #1836496)
    - debian/patches/CVE-2019-10192.patch: Fix hyperloglog corruption
    - CVE-2019-10192

 -- Julian Andres Klode <email address hidden> Sun, 14 Jul 2019 21:21:22 +0200

Source diff to previous version
CVE-2019-10192 A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5

Version: 2:3.0.6-1ubuntu0.3 2018-12-10 19:06:17 UTC

  redis (2:3.0.6-1ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Tighten Permissions
    - Ensure /var/lib/redis and /var/log/redis are not world readable
    - Set UMask=007 in redis-server.service, redis-sentinel.server
    - Changes taken from Debian version 3:3.2.5-2
    - CVE-2016-2121

 -- Mike Salvatore <email address hidden> Fri, 07 Dec 2018 11:02:30 -0500

Source diff to previous version
CVE-2016-2121 A permissions flaw was found in redis, which sets weak permissions on certain files and directories that could potentially contain sensitive informat

Version: 2:3.0.6-1ubuntu0.2 2018-11-28 20:07:10 UTC

  redis (2:3.0.6-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Permissions issue
    - debian/patches/CVE-2013-7458.patch: fix in
      deps/linenoise/linenoise.c.
    - CVE-2013-7458
  * SECURITY UPDATE: Cross protocol scripting
    - debian/patches/CVE-2016-10517.patch: fix in
      src/redis.c, src/redis.h.
    - CVE-2016-10517
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-15047.patch: fix in
      src/cluster.c.
    - CVE-2017-15047
  * SECURITY UPDATE: Memory corruption
    - debian/patches/CVE-2018-11218.patch: fix in
      deps/lua/src/lua_cmsgpack.c.
    - CVE-2018-11218
  * SECURITY UPDATE: Integer Overflow
    - debian/patches/CVE-2018-11219-*.patch: fix in
      deps/lua/src/lua_struct.c.
    - CVE-2018-11219
  * SECURITY UPDATE: Buffer overflow in the redis-cli
    - debian/patches/CVE-2018-12326.patch: fix in
      redis-cli.c.
    - CVE-2018-12326

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 26 Jun 2018 17:12:39 -0300

CVE-2013-7458 linenoise, as used in Redis before 3.2.3, uses world-readable permissions for .rediscli_history, which allows local users to obtain sensitive informa
CVE-2016-10517 networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the
CVE-2017-15047 The clusterLoadConfig function in cluster.c in Redis 4.0.2 allows attackers to cause a denial of service (out-of-bounds array index and application c
CVE-2018-11218 Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 becau
CVE-2018-11219 An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2
CVE-2018-12326 Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3 allows an attacker to achieve code execution and escalate to higher privil



About   -   Send Feedback to @ubuntu_updates