Date: Tue, 27 Jul 2021 10:25:08 GMT From: Li-Wen Hsu <lwhsu@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: b40cccda5417 - main - security/vuxml: Document integer overflow vulnerability in redis Message-ID: <202107271025.16RAP8WA061142@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by lwhsu: URL: https://cgit.FreeBSD.org/ports/commit/?id=b40cccda5417dca36863966c90a3d1c7ac6e16e0 commit b40cccda5417dca36863966c90a3d1c7ac6e16e0 Author: Yasuhiro Kimura <yasu@utahime.org> AuthorDate: 2021-07-27 10:24:10 +0000 Commit: Li-Wen Hsu <lwhsu@FreeBSD.org> CommitDate: 2021-07-27 10:24:10 +0000 security/vuxml: Document integer overflow vulnerability in redis PR: 257325 --- security/vuxml/vuln-2021.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index d9889781f7f0..b74438a36a02 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,46 @@ + <vuln vid="c561ce49-eabc-11eb-9c3f-0800270512f4"> + <topic>redis -- Integer overflow issues with BITFIELD command on 32-bit systems</topic> + <affects> + <package> + <name>redis</name> + <range><lt>6.0.15</lt></range> + </package> + <package> + <name>redis-devel</name> + <range><lt>6.2.5</lt></range> + </package> + <package> + <name>redis5</name> + <range><lt>5.0.13</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Huang Zhw reports:</p> + <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj">; + <p> + On 32-bit versions, Redis BITFIELD command is vulnerable to integer + overflow that can potentially be exploited to corrupt the heap, + leak arbitrary heap contents or trigger remote code execution. + The vulnerability involves constructing specially crafted bit + commands which overflow the bit offset. + </p> + <p> + This problem only affects 32-bit versions of Redis. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-32761</cvename> + <url>https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj</url>; + </references> + <dates> + <discovery>2021-07-04</discovery> + <entry>2021-07-27</entry> + </dates> + </vuln> + <vuln vid="ce79167f-ee1c-11eb-9785-b42e99a1b9c3"> <topic>powerdns -- remotely triggered crash</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202107271025.16RAP8WA061142>