redis-7.0.12-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13047 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z redis-7.0.12-1.1 on GA media These are all security issues fixed in the redis-7.0.12-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13047 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13047 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-24834/ SUSE CVE CVE-2022-24834 page https://www.suse.com/security/cve/CVE-2023-36824/ SUSE CVE CVE-2023-36824 page openSUSE Tumbleweed redis-7.0.12-1.1 redis-7.0.12-1.1 as a component of openSUSE Tumbleweed Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20. CVE-2022-24834 openSUSE Tumbleweed:redis-7.0.12-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-24834.html CVE-2022-24834 https://bugzilla.suse.com/1213193 SUSE Bug 1213193 Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12. CVE-2023-36824 openSUSE Tumbleweed:redis-7.0.12-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-36824.html CVE-2023-36824 https://bugzilla.suse.com/1213249 SUSE Bug 1213249