Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package redis for openSUSE:Factory checked in at 2023-04-20 15:13:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/redis (Old) and /work/SRC/openSUSE:Factory/.redis.new.2023 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "redis" Thu Apr 20 15:13:38 2023 rev:88 rq:1080241 version:7.0.11 Changes: -------- --- /work/SRC/openSUSE:Factory/redis/redis.changes 2023-03-03 22:24:37.882560977 +0100 +++ /work/SRC/openSUSE:Factory/.redis.new.2023/redis.changes 2023-04-20 15:14:11.557879533 +0200 @@ -1,0 +2,63 @@ +Mon Apr 17 17:14:26 UTC 2023 - Marcus Rueckert <mrueck...@suse.de> + +- redis 7.0.11 + - (CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT + command to create an invalid hash field that will crash Redis + on access (boo#1210548) + - Add a missing fsync of AOF file in rare cases + - Disconnect pub-sub subscribers when revoking allchannels + permission + - Fix a compiler fortification induced crash when used with link + time optimizations +- Drop get-old-size-calculations.patch: + replaced with proper fix + +------------------------------------------------------------------- +Fri Mar 24 19:18:24 UTC 2023 - Marcus Rueckert <mrueck...@suse.de> + +- Added get-old-size-calculations.patch: + my workaround for https://github.com/redis/redis/issues/11965 + +------------------------------------------------------------------- +Mon Mar 20 21:22:02 UTC 2023 - Andreas Stieger <andreas.stie...@gmx.de> + +- redis 7.0.10 + * CVE-2023-28425: Specially crafted MSETNX command can lead to + assertion and denial-of-service (boo#1209528) + * Large blocks of replica client output buffer may lead to psync + loops and unnecessary memory usage + * Fix CLIENT REPLY OFF|SKIP to not silence push notifications + * Trim excessive memory usage in stream nodes when exceeding + `stream-node-max-bytes` + * Fix module RM_Call commands failing with OOM when maxmemory is + changed to zero + +------------------------------------------------------------------- +Mon Mar 20 21:16:24 UTC 2023 - Andreas Stieger <andreas.stie...@gmx.de> + +- redis 7.0.9 + * CVE-2023-25155: Specially crafted SRANDMEMBER, ZRANDMEMBER, and + HRANDFIELD commands can trigger an integer overflow, resulting + in a runtime assertion and termination of the Redis server + process. Previously patched, drop + Integer-Overflow-in-RAND-commands-can-lead-to-assert.patch + * CVE-2022-36021: String matching commands (like SCAN or KEYS) + with a specially crafted pattern to trigger a denial-of-service + attack on Redis, causing it to hang and consume 100% CPU time. + Previously upatched, drop + String-pattern-matching-had-exponential-time-complex.patch + * Fix a crash when reaching the maximum invalidations limit of + client-side tracking + * Fix a crash when SPUBLISH is used after passing the + cluster-link-sendbuf-limit + * Fix possible memory corruption in FLUSHALL when a client + watches more than one key + * Fix cluster inbound link keepalive time + * Flush propagation list in active-expire of writable replicas to + fix an assertion + * Avoid propagating DEL of lazy expire from SCAN and RANDOMKEY as + MULTI-EXEC + * Avoid realloc to reduce size of strings when it is unneeded + * Improve CLUSTER SLOTS reply efficiency for non-continuous slots + +------------------------------------------------------------------- Old: ---- Integer-Overflow-in-RAND-commands-can-lead-to-assert.patch String-pattern-matching-had-exponential-time-complex.patch redis-7.0.8.tar.gz New: ---- redis-7.0.11.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ redis.spec ++++++ --- /var/tmp/diff_new_pack.tUQoDn/_old 2023-04-20 15:14:12.229882615 +0200 +++ /var/tmp/diff_new_pack.tUQoDn/_new 2023-04-20 15:14:12.237882651 +0200 @@ -20,7 +20,7 @@ %define _log_dir %{_localstatedir}/log/%{name} %define _conf_dir %{_sysconfdir}/%{name} Name: redis -Version: 7.0.8 +Version: 7.0.11 Release: 0 Summary: Persistent key-value database License: BSD-3-Clause @@ -40,10 +40,6 @@ Patch0: %{name}-conf.patch Patch3: reproducible.patch Patch4: ppc-atomic.patch -# PATCH-FIX-UPSTREAM -- based on commit 0825552 (bsc#1208790 CVE-2022-36021) -Patch5: String-pattern-matching-had-exponential-time-complex.patch -# PATCH-FIX-UPSTREAM -- based on commit 2a2a582 (bsc#1208793 CVE-2023-25155) -Patch6: Integer-Overflow-in-RAND-commands-can-lead-to-assert.patch BuildRequires: jemalloc-devel BuildRequires: libopenssl-devel >= 1.1.1 BuildRequires: pkgconfig @@ -71,8 +67,6 @@ %patch0 %patch3 -p1 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 %build export HOST=OBS # for reproducible builds ++++++ redis-7.0.8.tar.gz -> redis-7.0.11.tar.gz ++++++ ++++ 2655 lines of diff (skipped) ++++++ redis.hashes ++++++ --- /var/tmp/diff_new_pack.tUQoDn/_old 2023-04-20 15:14:12.841885421 +0200 +++ /var/tmp/diff_new_pack.tUQoDn/_new 2023-04-20 15:14:12.845885440 +0200 @@ -148,4 +148,13 @@ hash redis-7.0.7.tar.gz sha256 8d327d7e887d1bb308fc37aaf717a0bf79f58129e3739069aaeeae88955ac586 http://download.redis.io/releases/redis-7.0.7.tar.gz hash redis-7.0.8.tar.gz sha256 06a339e491306783dcf55b97f15a5dbcbdc01ccbde6dc23027c475cab735e914 http://download.redis.io/releases/redis-7.0.8.tar.gz hash redis-6.2.9.tar.gz sha256 9661b2c6b1cc9bf2999471b37a4d759fa5e747d408142c18af8792ebd8384a2a http://download.redis.io/releases/redis-6.2.9.tar.gz +hash redis-6.0.17.tar.gz sha256 ad50bf7c6bf98d7bf3c626bdd5588368f52c82c8d41869cca024455f651e7bfc http://download.redis.io/releases/redis-6.0.17.tar.gz +hash redis-6.2.10.tar.gz sha256 22684f66d272379b91e3e53693918b535e2a6e54b9d14e1cad171658e0eefeca http://download.redis.io/releases/redis-6.2.10.tar.gz +hash redis-6.0.18.tar.gz sha256 d7b4f2a97fcab96727284092b0a4aa854af47d570803fa0e7a0345359743836e http://download.redis.io/releases/redis-6.0.18.tar.gz +hash redis-6.2.11.tar.gz sha256 8c75fb9cdd01849e92c23f30cb7fe205ea0032a38d11d46af191014e9acc3098 http://download.redis.io/releases/redis-6.2.11.tar.gz +hash redis-7.0.9.tar.gz sha256 f77135c2a47c9151d4028bfea3b34470ab4d324d1484f79a84c6f32a3cfb9f65 http://download.redis.io/releases/redis-7.0.9.tar.gz +hash redis-7.0.10.tar.gz sha256 1dee4c6487341cae7bd6432ff7590906522215a061fdef87c7d040a0cb600131 http://download.redis.io/releases/redis-7.0.10.tar.gz +hash redis-7.0.11.tar.gz sha256 ce250d1fba042c613de38a15d40889b78f7cb6d5461a27e35017ba39b07221e3 http://download.redis.io/releases/redis-7.0.11.tar.gz +hash redis-6.2.12.tar.gz sha256 75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b http://download.redis.io/releases/redis-6.2.12.tar.gz +hash redis-6.0.19.tar.gz sha256 55e26318c3d9c53a77a6e802f60524afdddd057a2e965cebcf781a0a72f0e3e6 http://download.redis.io/releases/redis-6.0.19.tar.gz