commit redis for openSUSE:Factory
Hello community,
here is the log from the commit of package redis for openSUSE:Factory checked in at 2016-10-24 14:44:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/redis (Old)
and /work/SRC/openSUSE:Factory/.redis.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "redis"
Changes:
--------
--- /work/SRC/openSUSE:Factory/redis/redis.changes 2016-08-09 22:15:02.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.redis.new/redis.changes 2016-10-24 14:44:56.000000000 +0200
@@ -1,0 +2,13 @@
+Mon Oct 24 08:39:02 UTC 2016 - astieger@suse.com
+
+- update to redis 3.2.4, including fixes for security issues:
+ * CVE-2016-8339: CONFIG SET client-output-buffer-limit Code
+ Execution Vulnerability [boo#1002351]
+- bug fixes:
+ * TCP binding bug fixed when only certain addresses were available
+ for a given port
+ * improved crash report
+ * Fix for Redis Cluster redis-trib displaying of info after
+ creating a new cluster.
+
+-------------------------------------------------------------------
Old:
----
redis-3.2.3.tar.gz
New:
----
redis-3.2.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ redis.spec ++++++
--- /var/tmp/diff_new_pack.7bfKoy/_old 2016-10-24 14:44:58.000000000 +0200
+++ /var/tmp/diff_new_pack.7bfKoy/_new 2016-10-24 14:44:58.000000000 +0200
@@ -25,7 +25,7 @@
%bcond_with systemd
%endif
Name: redis
-Version: 3.2.3
+Version: 3.2.4
Release: 0
Summary: Persistent key-value database
License: BSD-3-Clause
@@ -45,9 +45,9 @@
BuildRequires: pkgconfig
BuildRequires: procps
BuildRequires: tcl
-Requires(pre): shadow
Requires: logrotate
Requires: sudo
+Requires(pre): shadow
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if %{with systemd}
BuildRequires: pkgconfig(systemd)
++++++ redis-3.2.3.tar.gz -> redis-3.2.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/00-RELEASENOTES new/redis-3.2.4/00-RELEASENOTES
--- old/redis-3.2.3/00-RELEASENOTES 2016-08-02 11:00:29.000000000 +0200
+++ new/redis-3.2.4/00-RELEASENOTES 2016-09-26 09:10:17.000000000 +0200
@@ -11,6 +11,84 @@
--------------------------------------------------------------------------------
================================================================================
+Redis 3.2.4 Released Mon Sep 26 08:58:21 CEST 2016
+================================================================================
+
+Upgrade urgency CRITICAL: Redis 3.2 and unstable contained a security
+ vulnerability fixed by this release.
+
+Hello Redis Wizards of the Memory Stores Empire,
+
+this is a Redis critical release in order to fix a security issue
+which is documented clearly here:
+
+ https://github.com/antirez/redis/commit/6d9f8e2462fc2c426d48c941edeb78e5df7d...
+
+Thanks to Cory Duplantis of Cisco Talos for reporting the issue.
+
+The gist is that using CONFIG SET calls (or by manipulating redis.conf)
+an attacker is able to compromise certain fields of the "server" global
+structure, including the aof filename pointer, that could be made pointing
+to something else. In turn the AOF name is used in different contexts such
+as logging, rename(2) and open(2) syscalls, leading to potential problems.
+
+All Redis 3.2.x versions are affected.
+
+This release also includes other things:
+
+* TCP binding bug fixed when only certain addresses were available for
+a given port.
+
+* A much better crash report that includes part of the Redis binary:
+this will allow to fix bugs even when we just have a crash log and
+no other help from the original poster oft the issue.
+
+* A fix for Redis Cluster redis-trib displaying of info after creating
+a new cluster.
+
+Please check the following list of commits for credits about who did what.
+Thanks to all the contributors and a special thank to Oran Agra for the
+help in this release.
+
+List of commits:
+
+antirez in commit 0539634:
+ Security: CONFIG SET client-output-buffer-limit overflow fixed.
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+antirez in commit c01abcd:
+ fix the fix for the TCP binding.
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+oranagra in commit a6d0698:
+ fix tcp binding when IPv6 is unsupported
+ 2 files changed, 14 insertions(+), 10 deletions(-)
+
+antirez in commit 22b6c28:
+ debug.c: no need to define _GNU_SOURCE, is defined in fmacros.h.
+ 1 file changed, 1 deletion(-)
+
+antirez in commit 9e9d398:
+ crash log - improve code dump with more info and called symbols.
+ 1 file changed, 59 insertions(+), 20 deletions(-)
+
+oranagra in commit 3745c5d:
+ crash log - add hex dump of function code
+ 1 file changed, 22 insertions(+)
+
+antirez in commit c1cc07b:
+ Sentinel example config: warn about protected mode.
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+rojingeorge in commit 011dc9f:
+ Display the nodes summary once the cluster is established using redis-trib.rb
+ 1 file changed, 5 insertions(+)
+
+Guo Xiao in commit f4e3a94:
+ Use the standard predefined identifier __func__ (since C99)
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+================================================================================
Redis 3.2.3 Released Tue Aug 02 10:55:24 CEST 2016
================================================================================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/sentinel.conf new/redis-3.2.4/sentinel.conf
--- old/redis-3.2.3/sentinel.conf 2016-08-02 11:00:29.000000000 +0200
+++ new/redis-3.2.4/sentinel.conf 2016-09-26 09:10:17.000000000 +0200
@@ -1,5 +1,21 @@
# Example sentinel.conf
+# *** IMPORTANT ***
+#
+# By default Sentinel will not be reachable from interfaces different than
+# localhost, either use the 'bind' directive to bind to a list of network
+# interfaces, or disable protected mode with "protected-mode no" by
+# adding it to this configuration file.
+#
+# Before doing that MAKE SURE the instance is protected from the outside
+# world via firewalling or other means.
+#
+# For example you may use one of the following:
+#
+# bind 127.0.0.1 192.168.1.1
+#
+# protected-mode no
+
# port <sentinel-port>
# The port that this sentinel instance will run on
port 26379
@@ -178,4 +194,3 @@
#
# sentinel client-reconfig-script mymaster /var/redis/reconfig.sh
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/src/anet.c new/redis-3.2.4/src/anet.c
--- old/redis-3.2.3/src/anet.c 2016-08-02 11:00:29.000000000 +0200
+++ new/redis-3.2.4/src/anet.c 2016-09-26 09:10:17.000000000 +0200
@@ -486,7 +486,7 @@
goto end;
}
if (p == NULL) {
- anetSetError(err, "unable to bind socket");
+ anetSetError(err, "unable to bind socket, errno: %d", errno);
goto error;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/src/config.c new/redis-3.2.4/src/config.c
--- old/redis-3.2.3/src/config.c 2016-08-02 11:00:29.000000000 +0200
+++ new/redis-3.2.4/src/config.c 2016-09-26 09:10:17.000000000 +0200
@@ -549,8 +549,9 @@
unsigned long long hard, soft;
int soft_seconds;
- if (class == -1) {
- err = "Unrecognized client limit class";
+ if (class == -1 || class == CLIENT_TYPE_MASTER) {
+ err = "Unrecognized client limit class: the user specified "
+ "an invalid one, or 'master' which has no buffer limits.";
goto loaderr;
}
hard = memtoll(argv[2],NULL);
@@ -834,7 +835,8 @@
long val;
if ((j % 4) == 0) {
- if (getClientTypeByName(v[j]) == -1) {
+ int class = getClientTypeByName(v[j]);
+ if (class == -1 || class == CLIENT_TYPE_MASTER) {
sdsfreesplitres(v,vlen);
goto badfmt;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/src/debug.c new/redis-3.2.4/src/debug.c
--- old/redis-3.2.3/src/debug.c 2016-08-02 11:00:29.000000000 +0200
+++ new/redis-3.2.4/src/debug.c 2016-09-26 09:10:17.000000000 +0200
@@ -39,6 +39,8 @@
#include
participants (1)
-
root@hilbert.suse.de