Message ID | 20170131161904.28657-1-Vincent.Riera@imgtec.com |
---|---|
State | Superseded |
Headers | show |
>>>>> "Vicente" == Vicente Olivert Riera <Vincent.Riera@imgtec.com> writes: > Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Please mention whenever version bumps have security impact - E.G. from the release notes: Redis 3.2.7 is out and it has important fixes, two are related to the security of the server, so please keep reading and if it's the case, upgrade. Upgrade urgency HIGH. This release fixes important security and correctness issues. It is especially important to upgrade for Redis Cluster users and for users running Redis in their laptop since a cross-scripting attack is fixed in this release. Main bugs fixes and improvements in this release: MIGRATE could incorrectly move keys between Redis Cluster nodes by turning keys with an expire set into persisting keys. This bug was introduced with the multiple-keys migration recently. It is now fixed. Only applies to Redis Cluster users that use the resharding features of Redis Cluster. As Redis 4.0 beta and the unstable branch already did (for some months at this point), Redis 3.2.7 also aliases the Host: and POST commands to QUIT avoiding to process the remaining pipeline if there are pending commands. This is a security protection against a "Cross Scripting" attack, that usually involves trying to feed Redis with HTTP in order to execute commands. Example: a developer is running a local copy of Redis for development purposes. She also runs a web browser in the same computer. The web browser could send an HTTP request to http://127.0.0.1:6379 in order to access the Redis instance, since a specially crafted HTTP requesta may also be partially valid Redis protocol. However if POST and Host: break the connection, this problem should be avoided. IMPORTANT: It is important to realize that it is not impossible that another way will be found to talk with a localhost Redis using a Cross Protocol attack not involving sending POST or Host: so this is only a layer of protection but not a definitive fix for this class of issues. A ziplist bug that could cause data corruption, could crash the server and MAY ALSO HAVE SECURITY IMPLICATIONS was fixed. The bug looks complex to exploit, but attacks always get worse, never better (cit). The bug is very very hard to catch in practice, it required manual analysis of the ziplist code in order to be found. However it is also possible that rarely it happened in the wild. Upgrading is required if you use LINSERT and other in-the-middle list manipulation commands. We upgraded to Jemalloc 4.4.0 since the version we used to ship with Redis was an early 4.0 release of Jemalloc. This version may have several improvements including the ability to better reclaim/use the memory of system.
diff --git a/package/redis/redis.hash b/package/redis/redis.hash index b6e8eac..d4ac7c3 100644 --- a/package/redis/redis.hash +++ b/package/redis/redis.hash @@ -1,4 +1,4 @@ # From https://github.com/antirez/redis-hashes/blob/master/README -sha1 0c7bc5c751bdbc6fabed178db9cdbdd948915d1b redis-3.2.6.tar.gz +sha1 6889af053020cd72ebb16805ead0ce9b3a69a9ef redis-3.2.7.tar.gz # Calculated based on the hash above -sha256 2e1831c5a315e400d72bda4beaa98c0cfbe3f4eb8b20c269371634390cf729fa redis-3.2.6.tar.gz +sha256 bf9df3e5374bfe7bfc3386380f9df13d94990011504ef07632b3609bb2836fa9 redis-3.2.7.tar.gz diff --git a/package/redis/redis.mk b/package/redis/redis.mk index 0b07d18..63964b5 100644 --- a/package/redis/redis.mk +++ b/package/redis/redis.mk @@ -4,7 +4,7 @@ # ################################################################################ -REDIS_VERSION = 3.2.6 +REDIS_VERSION = 3.2.7 REDIS_SITE = http://download.redis.io/releases REDIS_LICENSE = BSD-3c (core); MIT and BSD family licenses (Bundled components) REDIS_LICENSE_FILES = COPYING
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> --- package/redis/redis.hash | 4 ++-- package/redis/redis.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)