Security update for redis SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:0274-1 Final 1 1 2023-02-06T16:17:58Z current 2023-02-06T16:17:58Z 2023-02-06T16:17:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for redis This update for redis fixes the following issues: - CVE-2022-35977: Fixed an integer overflow that could allow authenticated users to cause a crash (bsc#1207202). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-274,SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-274,SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-274,SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-274,SUSE-SLE-Product-RT-15-SP3-2023-274,SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-274,SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-274,SUSE-SLE-Product-SLES_SAP-15-SP2-2023-274,SUSE-SLE-Product-SLES_SAP-15-SP3-2023-274,SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-274,SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.2-2023-274,SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-274,SUSE-Storage-7-2023-274,SUSE-Storage-7.1-2023-274 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20230274-1/ Link for SUSE-SU-2023:0274-1 https://lists.suse.com/pipermail/sle-security-updates/2023-February/013631.html E-Mail link for SUSE-SU-2023:0274-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1207202 SUSE Bug 1207202 https://www.suse.com/security/cve/CVE-2022-35977/ SUSE CVE CVE-2022-35977 page SUSE Enterprise Storage 7 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.2 redis-6.0.14-150200.6.17.1 redis-6.0.14-150200.6.17.1 as a component of SUSE Enterprise Storage 7 redis-6.0.14-150200.6.17.1 as a component of SUSE Enterprise Storage 7.1 redis-6.0.14-150200.6.17.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS redis-6.0.14-150200.6.17.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS redis-6.0.14-150200.6.17.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS redis-6.0.14-150200.6.17.1 as a component of SUSE Linux Enterprise Real Time 15 SP3 redis-6.0.14-150200.6.17.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS redis-6.0.14-150200.6.17.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS redis-6.0.14-150200.6.17.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 redis-6.0.14-150200.6.17.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 redis-6.0.14-150200.6.17.1 as a component of SUSE Manager Proxy 4.2 redis-6.0.14-150200.6.17.1 as a component of SUSE Manager Retail Branch Server 4.2 redis-6.0.14-150200.6.17.1 as a component of SUSE Manager Server 4.2 Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SETRANGE` and `SORT(_RO)` commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic. The problem is fixed in Redis versions 7.0.8, 6.2.9 and 6.0.17. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2022-35977 SUSE Enterprise Storage 7.1:redis-6.0.14-150200.6.17.1 SUSE Enterprise Storage 7:redis-6.0.14-150200.6.17.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:redis-6.0.14-150200.6.17.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:redis-6.0.14-150200.6.17.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:redis-6.0.14-150200.6.17.1 SUSE Linux Enterprise Real Time 15 SP3:redis-6.0.14-150200.6.17.1 SUSE Linux Enterprise Server 15 SP2-LTSS:redis-6.0.14-150200.6.17.1 SUSE Linux Enterprise Server 15 SP3-LTSS:redis-6.0.14-150200.6.17.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:redis-6.0.14-150200.6.17.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:redis-6.0.14-150200.6.17.1 SUSE Manager Proxy 4.2:redis-6.0.14-150200.6.17.1 SUSE Manager Retail Branch Server 4.2:redis-6.0.14-150200.6.17.1 SUSE Manager Server 4.2:redis-6.0.14-150200.6.17.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230274-1/ https://www.suse.com/security/cve/CVE-2022-35977.html CVE-2022-35977 https://bugzilla.suse.com/1207202 SUSE Bug 1207202