1213382 – (CVE-2021-31294) VUL-0: CVE-2021-31294: redis: crash in with command

Bug 1213382 (CVE-2021-31294) - VUL-0: CVE-2021-31294: redis: crash in with command

Summary: VUL-0: CVE-2021-31294: redis: crash in with command

Status:	RESOLVED FIXED

Alias:	CVE-2021-31294

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Danilo Spinella
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/372626/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-07-17 08:40 UTC by Thomas Leroy
Modified:	2023-07-17 08:42 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2023-07-17 08:40:32 UTC

CVE-2021-31294

Redis before 6cbea7d allows a replica to cause an assertion failure in a primary
server by sending a non-administrative command (specifically, a SET command).
NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were
not intended to have safety guarantees related to this.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31294
https://www.cve.org/CVERecord?id=CVE-2021-31294
http://www.cvedetails.com/cve/CVE-2021-31294/
https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48
https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f
https://github.com/redis/redis/issues/8712

Comment 1 Thomas Leroy 2023-07-17 08:42:06 UTC

Bug was introduced in 6.2-rc2. 15-SP2 is not affected and 15-SP4 and  SUSE:ALP:Source:Standard:1.0 are already fixed. Closing