From nobody Tue Oct 5 13:28:58 2021 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 957B917ECAC8; Tue, 5 Oct 2021 13:28:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HNz223m47z3FkW; Tue, 5 Oct 2021 13:28:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 610E453BE; Tue, 5 Oct 2021 13:28:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 195DSwVX010011; Tue, 5 Oct 2021 13:28:58 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 195DSwoP010010; Tue, 5 Oct 2021 13:28:58 GMT (envelope-from git) Date: Tue, 5 Oct 2021 13:28:58 GMT Message-Id: <202110051328.195DSwoP010010@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: "Sergey A. Osokin" Subject: git: 84029f184f27 - main - security/vuxml: document multiple issue with databases/redis{,5,6} List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: osa X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 84029f184f27ec93364bbb4d04ddcf1bfc869d70 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by osa: URL: https://cgit.FreeBSD.org/ports/commit/?id=84029f184f27ec93364bbb4d04ddcf1bfc869d70 commit 84029f184f27ec93364bbb4d04ddcf1bfc869d70 Author: Sergey A. Osokin AuthorDate: 2021-10-05 13:28:13 +0000 Commit: Sergey A. Osokin CommitDate: 2021-10-05 13:28:13 +0000 security/vuxml: document multiple issue with databases/redis{,5,6} PR: 258935 --- security/vuxml/vuln-2021.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index dc5e49a62c81..710fc2b8a7f1 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -57,6 +57,88 @@ + + redis -- multiple vulnerabilities + + + redis + 6.2.6 + + + redis6 + 6.0.16 + + + redis5 + 5.0.14 + + + + +

The Redis Team reports:

+
+
+
CVE-2021-41099
+
+ Integer to heap buffer overflow handling certain string commands + and network payloads, when proto-max-bulk-len is manually configured. +
+
CVE-2021-32762
+
+ Integer to heap buffer overflow issue in redis-cli and redis-sentinel + parsing large multi-bulk replies on some older and less common platforms. +
+
CVE-2021-32687
+
+ Integer to heap buffer overflow with intsets, when set-max-intset-entries + is manually configured to a non-default, very large value. +
+
CVE-2021-32675
+
+ Denial Of Service when processing RESP request payloads with a large + number of elements on many connections. +
+
CVE-2021-32672
+
+ Random heap reading issue with Lua Debugger. +
+
CVE-2021-32628
+
+ Integer to heap buffer overflow handling ziplist-encoded data types, + when configuring a large, non-default value for hash-max-ziplist-entries, + hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value. +
+
CVE-2021-32627
+
+ Integer to heap buffer overflow issue with streams, when configuring + a non-default, large value for proto-max-bulk-len and + client-query-buffer-limit. +
+
CVE-2021-32626
+
+ Specially crafted Lua scripts may result with Heap buffer overflow. +
+
+
+ + + + CVE-2021-41099 + CVE-2021-32762 + CVE-2021-32687 + CVE-2021-32675 + CVE-2021-32672 + CVE-2021-32628 + CVE-2021-32627 + CVE-2021-32626 + https://groups.google.com/g/redis-db/c/GS_9L2KCk9g + + + 2021-10-04 + 2021-10-05 + + + mediawiki -- multiple vulnerabilities