Bug 1213382 (CVE-2021-31294)

Summary: VUL-0: CVE-2021-31294: redis: crash in with command
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Danilo Spinella <danilo.spinella>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372626/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2023-07-17 08:40:32 UTC 
CVE-2021-31294

Redis before 6cbea7d allows a replica to cause an assertion failure in a primary
server by sending a non-administrative command (specifically, a SET command).
NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were
not intended to have safety guarantees related to this.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31294
https://www.cve.org/CVERecord?id=CVE-2021-31294
http://www.cvedetails.com/cve/CVE-2021-31294/
https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48
https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f
https://github.com/redis/redis/issues/8712
Comment 1 Thomas Leroy 2023-07-17 08:42:06 UTC 
Bug was introduced in 6.2-rc2. 15-SP2 is not affected and 15-SP4 and  SUSE:ALP:Source:Standard:1.0 are already fixed. Closing