Re: [update] redis 5.0.8

Sat, 14 Mar 2020 19:05:52 -0700 

On 12 Mar 22:19, Theo Buehler wrote:
> Released earlier today. According to the changelog [1]:
> 
> Upgrade urgency HIGH: This release fixes security issues.
> 
> HIGH means that there is a critical bug that affects a subset of users.
> I'm unsure which one of the listed bugs that is, though.
> 
> The source diff to 5.0.7 is relatively small and there should not be any
> fallout from backwards-incompatible changes.
> 
> The new hunk in src/Makefile fixes the build on armv7 (the resulting
> redis-server binary is still completely broken).  I added a fix for a
> small 32-bit time_t truncation issue in src/networking.c.
> 
> Built and regress tests run successfully on amd64, macppc and sparc64.
> Some further light testing on amd64 with some toy databases.
> 
> [1]: https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
> 
> Index: Makefile
> ===================================================================
> RCS file: /var/cvs/ports/databases/redis/Makefile,v
> retrieving revision 1.109
> diff -u -p -r1.109 Makefile
> --- Makefile  11 Feb 2020 08:11:13 -0000      1.109
> +++ Makefile  12 Mar 2020 19:15:42 -0000
> @@ -1,7 +1,7 @@
>  # $OpenBSD: Makefile,v 1.109 2020/02/11 08:11:13 tb Exp $
>  
>  COMMENT =            persistent key-value database
> -DISTNAME =           redis-5.0.7
> +DISTNAME =           redis-5.0.8
>  CATEGORIES =         databases
>  HOMEPAGE =           https://redis.io/
>  
> Index: distinfo
> ===================================================================
> RCS file: /var/cvs/ports/databases/redis/distinfo,v
> retrieving revision 1.84
> diff -u -p -r1.84 distinfo
> --- distinfo  11 Feb 2020 08:11:13 -0000      1.84
> +++ distinfo  12 Mar 2020 19:17:51 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (redis-5.0.7.tar.gz) = Ydt06r9oAfBX/SS1kCMvLzN9QiKA/RlIbsoDvofTqCs=
> -SIZE (redis-5.0.7.tar.gz) = 1984203
> +SHA256 (redis-5.0.8.tar.gz) = 88fqxC9DMyao2YG1DboBaf369Gq7I/zaL5M6dVLuTtc=
> +SIZE (redis-5.0.8.tar.gz) = 1985757
> Index: patches/patch-src_Makefile
> ===================================================================
> RCS file: /var/cvs/ports/databases/redis/patches/patch-src_Makefile,v
> retrieving revision 1.30
> diff -u -p -r1.30 patch-src_Makefile
> --- patches/patch-src_Makefile        11 Feb 2020 08:11:13 -0000      1.30
> +++ patches/patch-src_Makefile        12 Mar 2020 19:57:00 -0000
> @@ -28,7 +28,16 @@ Index: src/Makefile
>   endif
>   endif
>   
> -@@ -127,7 +128,7 @@ endif
> +@@ -82,7 +83,7 @@ ifneq (,$(filter aarch64 armv,$(uname_M)))
> +         FINAL_LIBS+=-latomic
> + else
> + ifneq (,$(findstring armv,$(uname_M)))
> +-        FINAL_LIBS+=-latomic
> ++#        FINAL_LIBS+=-latomic
> + endif
> + endif
> + 
> +@@ -136,7 +137,7 @@ endif
>   endif
>   endif
>   # Include paths to dependencies
> @@ -37,7 +46,7 @@ Index: src/Makefile
>   
>   ifeq ($(MALLOC),tcmalloc)
>       FINAL_CFLAGS+= -DUSE_TCMALLOC
> -@@ -165,6 +166,7 @@ endif
> +@@ -174,6 +175,7 @@ endif
>   REDIS_SERVER_NAME=redis-server
>   REDIS_SENTINEL_NAME=redis-sentinel
>   REDIS_SERVER_OBJ=adlist.o quicklist.o ae.o anet.o dict.o server.o sds.o 
> zmalloc.o lzf_c.o lzf_d.o pqsort.o zipmap.o sha1.o ziplist.o release.o 
> networking.o util.o object.o db.o replication.o rdb.o t_string.o t_list.o 
> t_set.o t_zset.o t_hash.o config.o aof.o pubsub.o multi.o debug.o sort.o 
> intset.o syncio.o cluster.o crc16.o endianconv.o slowlog.o scripting.o bio.o 
> rio.o rand.o memtest.o crc64.o bitops.o sentinel.o notify.o setproctitle.o 
> blocked.o hyperloglog.o latency.o sparkline.o redis-check-rdb.o 
> redis-check-aof.o geo.o lazyfree.o module.o evict.o expire.o geohash.o 
> geohash_helper.o childinfo.o defrag.o siphash.o rax.o t_stream.o listpack.o 
> localtime.o lolwut.o lolwut5.o
> @@ -45,7 +54,7 @@ Index: src/Makefile
>   REDIS_CLI_NAME=redis-cli
>   REDIS_CLI_OBJ=anet.o adlist.o dict.o redis-cli.o zmalloc.o release.o anet.o 
> ae.o crc64.o siphash.o crc16.o
>   REDIS_BENCHMARK_NAME=redis-benchmark
> -@@ -216,7 +218,7 @@ endif
> +@@ -225,7 +227,7 @@ endif
>   
>   # redis-server
>   $(REDIS_SERVER_NAME): $(REDIS_SERVER_OBJ)
> @@ -54,7 +63,7 @@ Index: src/Makefile
>   
>   # redis-sentinel
>   $(REDIS_SENTINEL_NAME): $(REDIS_SERVER_NAME)
> -@@ -259,7 +261,7 @@ distclean: clean
> +@@ -268,7 +270,7 @@ distclean: clean
>   .PHONY: distclean
>   
>   test: $(REDIS_SERVER_NAME) $(REDIS_CHECK_AOF_NAME)
> @@ -63,7 +72,7 @@ Index: src/Makefile
>   
>   test-sentinel: $(REDIS_SENTINEL_NAME)
>       @(cd ..; ./runtest-sentinel)
> -@@ -303,13 +305,14 @@ src/help.h:
> +@@ -312,13 +314,14 @@ src/help.h:
>       @../utils/generate-command-help.rb > help.h
>   
>   install: all
> Index: patches/patch-src_networking_c
> ===================================================================
> RCS file: patches/patch-src_networking_c
> diff -N patches/patch-src_networking_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_networking_c    12 Mar 2020 19:59:42 -0000
> @@ -0,0 +1,14 @@
> +$OpenBSD$
> +
> +Index: src/networking.c
> +--- src/networking.c.orig
> ++++ src/networking.c
> +@@ -1939,7 +1939,7 @@ void securityWarningCommand(client *c) {
> +     static time_t logged_time;
> +     time_t now = time(NULL);
> + 
> +-    if (labs(now-logged_time) > 60) {
> ++    if (llabs(now-logged_time) > 60) {
> +         serverLog(LL_WARNING,"Possible SECURITY ATTACK detected. It looks 
> like somebody is sending POST or Host: commands to Redis. This is likely due 
> to an attacker attempting to use Cross Protocol Scripting to compromise your 
> Redis instance. Connection aborted.");
> +         logged_time = now;
> +     }
> 

Hi Theo,

just "back ported" redis to 6.6 and it works like a charm on amd64 (except 
sentinel which segfaults - but it did also on 4.0.14).

Kind regards

Uwe

--

Reply via email to