Red Hat Product Errata RHSA-2024:10869 - Security Advisory
Issued:
2024-12-05
Updated:
2024-12-05

RHSA-2024:10869 - Security Advisory

Synopsis

Moderate: redis:7 security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the redis:7 module is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.

Security Fix(es):

  • redis: Redis SORT_RO may bypass ACL configuration (CVE-2023-41053)
  • redis: possible bypass of Unix socket permissions on startup (CVE-2023-45145)
  • redis: Denial-of-service due to malformed ACL selectors in Redis (CVE-2024-31227)
  • redis: Lua library commands may lead to stack overflow and RCE in Redis (CVE-2024-31449)
  • redis: Denial-of-service due to unbounded pattern matching in Redis (CVE-2024-31228)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 9 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux for ARM 64 9 aarch64

Fixes

  • BZ - 2237826 - CVE-2023-41053 redis: Redis SORT_RO may bypass ACL configuration
  • BZ - 2244940 - CVE-2023-45145 redis: possible bypass of Unix socket permissions on startup
  • BZ - 2317053 - CVE-2024-31227 redis: Denial-of-service due to malformed ACL selectors in Redis
  • BZ - 2317056 - CVE-2024-31449 redis: Lua library commands may lead to stack overflow and RCE in Redis
  • BZ - 2317058 - CVE-2024-31228 redis: Denial-of-service due to unbounded pattern matching in Redis
  • RHEL-26628 - Rebase redis 7

Red Hat Enterprise Linux for x86_64 9

SRPM
redis-7.2.6-1.module+el9.5.0+22422+63e067d8.src.rpm SHA-256: fda2f495d19506595f70293f63ed83a7f243c883138392aed670c9f27f708c9f
x86_64
redis-doc-7.2.6-1.module+el9.5.0+22422+63e067d8.noarch.rpm SHA-256: f2738a5dd69757ed71bb639f4ccbff6fa5d0c879cf3626ba880e9d2b62e88414
redis-7.2.6-1.module+el9.5.0+22422+63e067d8.x86_64.rpm SHA-256: 56410d196fefa90cf9100a6b16715fb4fac0c7ab1e225272778fe40859fa35d2
redis-debuginfo-7.2.6-1.module+el9.5.0+22422+63e067d8.x86_64.rpm SHA-256: f4067902352149ae8a5e011dc57bdc88bc5fd37f685b94f5502d92206bf73a67
redis-debugsource-7.2.6-1.module+el9.5.0+22422+63e067d8.x86_64.rpm SHA-256: 13a6f4950853537d0bbf221c1300de522f8741b6d48baa48069cbdad98cdd1dd
redis-devel-7.2.6-1.module+el9.5.0+22422+63e067d8.x86_64.rpm SHA-256: f97cc5cd8af5cde4a345be2b6f920d73fa4020cbc4a8b4547fb80aadce673db7

Red Hat Enterprise Linux for IBM z Systems 9

SRPM
redis-7.2.6-1.module+el9.5.0+22422+63e067d8.src.rpm SHA-256: fda2f495d19506595f70293f63ed83a7f243c883138392aed670c9f27f708c9f
s390x
redis-doc-7.2.6-1.module+el9.5.0+22422+63e067d8.noarch.rpm SHA-256: f2738a5dd69757ed71bb639f4ccbff6fa5d0c879cf3626ba880e9d2b62e88414
redis-7.2.6-1.module+el9.5.0+22422+63e067d8.s390x.rpm SHA-256: 0baed2ed982fe3cafdeeb85a2e6c68ccf4e75ed87a14f8506bd996b1f32dfa8f
redis-debuginfo-7.2.6-1.module+el9.5.0+22422+63e067d8.s390x.rpm SHA-256: d287a1be2ddf5618169b2cd684c85ff3110c820377773afebdb04da03c81bd6b
redis-debugsource-7.2.6-1.module+el9.5.0+22422+63e067d8.s390x.rpm SHA-256: b2de080a8e4d04108524d832a4d80883e8f70f912fb8ed76b02a6513fffa5528
redis-devel-7.2.6-1.module+el9.5.0+22422+63e067d8.s390x.rpm SHA-256: 76c0daab975798a975737272820777f58b73298907b6cc51f6ff4c8a8b4e9473

Red Hat Enterprise Linux for Power, little endian 9

SRPM
redis-7.2.6-1.module+el9.5.0+22422+63e067d8.src.rpm SHA-256: fda2f495d19506595f70293f63ed83a7f243c883138392aed670c9f27f708c9f
ppc64le
redis-doc-7.2.6-1.module+el9.5.0+22422+63e067d8.noarch.rpm SHA-256: f2738a5dd69757ed71bb639f4ccbff6fa5d0c879cf3626ba880e9d2b62e88414
redis-7.2.6-1.module+el9.5.0+22422+63e067d8.ppc64le.rpm SHA-256: 2245025afe696101d0e5873135056f03fad5def683ac5bd357de06d793015c8c
redis-debuginfo-7.2.6-1.module+el9.5.0+22422+63e067d8.ppc64le.rpm SHA-256: f88ea3ba75ff9c6530275d1eb44505a4450b8e26f56b1972b934392b6388415e
redis-debugsource-7.2.6-1.module+el9.5.0+22422+63e067d8.ppc64le.rpm SHA-256: 7a745ca9984b0827a404e0a3b35991e77654fcacfced372b9316da6994785c75
redis-devel-7.2.6-1.module+el9.5.0+22422+63e067d8.ppc64le.rpm SHA-256: 649d9d179cd6c035813acdc8ce0073aba22ae954b8a8df7d613bd03172abe0ba

Red Hat Enterprise Linux for ARM 64 9

SRPM
redis-7.2.6-1.module+el9.5.0+22422+63e067d8.src.rpm SHA-256: fda2f495d19506595f70293f63ed83a7f243c883138392aed670c9f27f708c9f
aarch64
redis-7.2.6-1.module+el9.5.0+22422+63e067d8.aarch64.rpm SHA-256: c618f5f08d671369e59d8ad9eb2169cfe82d3ad935f860de1d74ae39330aab03
redis-debuginfo-7.2.6-1.module+el9.5.0+22422+63e067d8.aarch64.rpm SHA-256: ec2292efc694937c649d72fbc0643401d0dfb9bf6464e28912974e591810038b
redis-debugsource-7.2.6-1.module+el9.5.0+22422+63e067d8.aarch64.rpm SHA-256: 4fd0cc07dd3883e4f59c8eb8d0ddf89bda3c707183798544812e496a0a407c16
redis-devel-7.2.6-1.module+el9.5.0+22422+63e067d8.aarch64.rpm SHA-256: deccac9a62a1e679ffdacbc228d7f729d49c59735e03a37aa80d62be91dc727a
redis-doc-7.2.6-1.module+el9.5.0+22422+63e067d8.noarch.rpm SHA-256: f2738a5dd69757ed71bb639f4ccbff6fa5d0c879cf3626ba880e9d2b62e88414

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.