openSUSE 15 Security Update : redis (openSUSE-SU-2021:2294-1)


The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE-SU-2021:2294-1 advisory. - Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer (on 32-bit systems ONLY) can be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix for CVE-2021-29477 which only addresses the problem on 64-bit systems but fails to do that for 32-bit. 64-bit systems are not affected. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the `redis- server` executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command. (CVE-2021-32625) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.