REDIS 7.0.0/7.0.1/7.0.2/7.0.3/7.0.4 XAUTOCLAIM COMMAND INTEGER OVERFLOW
50 views
Skip to first unread message
Apoorv Verma
Sep 30, 2022, 2:15:40 AM9/30/22
to Redis DB
Hello ,
We are in the process of upgrading REDIS to version 7.0.4 in production
But came across this security vulnerability with XAUTOCLAIM command in version 7.0.4.
More on this over here -
The post suggests that the fix has been done with version 7.0.5
Just wanted to know if the fix will be backported to previous version as well like 7.0.4 or upgrading to latest version is the only option.
Best Regards,
Apoorv
Maxwell Bloch
Oct 2, 2022, 10:33:41 AM10/2/22
to redi...@googlegroups.com
Apoorv,
Which updates of 7.0.5 would you want to omit? If you wanted to cherry-pick the update for this bug, you could merge Fix heap overflow vulnerability in XAUTOCLAIM (CVE-2022-35951) by oranagra · Pull Request #11301 · redis/redis · GitHub and compile.
--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/2c598a80-b9c9-4f7b-ac3f-4f5a1315719bn%40googlegroups.com.
Ankit Gupta
Oct 2, 2022, 12:30:07 PM10/2/22
to redi...@googlegroups.com
Hello Michael,
Thanks for the quick response. Can we consider 7.0.5 as the latest
stable release or are there any builds/fixes that are planned in the
near future?
Best Regards,
Ankit Gupta
> To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/CAL-H%2BatuTMkB8Pfm__ARxAGMeoHE2enz-RyjNc-T%2BZ-fmzHthA%40mail.gmail.com.
Thanks for the quick response. Can we consider 7.0.5 as the latest
stable release or are there any builds/fixes that are planned in the
near future?
Best Regards,
Ankit Gupta
Apoorv Verma
Oct 4, 2022, 3:35:20 AM10/4/22
to Redis DB
Hi Team ,
Can you please confirm Redis 7.0.5 is the latest stable version keeping in this mind this vulnerability ?
Best Regards,
Apoorv
Itamar Haber
Oct 4, 2022, 10:02:04 AM10/4/22
to Redis DB
Hello Apoorv.
Redis 7.0.5 is the latest stable version. The release notes (https://github.com/redis/redis/releases/tag/7.0.5) clearly state that this issue was addressed:
(CVE-2022-35951) Executing a XAUTOCLAIM command on a stream key in a specific
state, with a specially crafted COUNT argument, may cause an integer overflow,
a subsequent heap overflow, and potentially lead to remote code execution.
The problem affects Redis versions 7.0.0 or newer
[reported by Xion (SeungHyun Lee) of KAIST GoN].
state, with a specially crafted COUNT argument, may cause an integer overflow,
a subsequent heap overflow, and potentially lead to remote code execution.
The problem affects Redis versions 7.0.0 or newer
[reported by Xion (SeungHyun Lee) of KAIST GoN].
Please feel free to continue your upgrade to the latest stable (7.0.5).
Cheers,
Itamar
Ankit Gupta
Oct 6, 2022, 4:49:09 AM10/6/22
to Redis DB
Thanks Itamar :)
Reply all
Reply to author
Forward
0 new messages