openSUSE Security Update: Security update for redis ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:2994-1 Rating: moderate References: #1064980 Cross-References: CVE-2016-10517 Affected Products: openSUSE Leap 42.3 openSUSE Leap 42.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for redis to version 4.0.2 fixes the following issues: - CVE-2016-8339: CONFIG SET client-output-buffer-limit Code Execution Vulnerability (boo#1002351) The following upstream changes are included: - SLOWLOG now logs the offending client name and address - The modules native data types RDB format changed. - The AOF check utility is now able to deal with RDB preambles. - GEORADIUS_RO and GEORADIUSBYMEMBER_RO variants, not supporting the STORE option, were added in order to allow read-only scaling of such queries. - HSET is now variadic, and HMSET is considered deprecated - GEORADIUS huge radius (>= ~6000 km) corner cases fixed - HyperLogLog commands no longer crash on certain input (non HLL) strings. - Fixed SLAVEOF inside MULTI/EXEC blocks. - TCP binding bug fixed when only certain addresses were available for a given por - MIGRATE could crash the server after a socket error Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2017-1258=1 - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-1258=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.3 (i586 x86_64): redis-4.0.2-11.1 redis-debuginfo-4.0.2-11.1 redis-debugsource-4.0.2-11.1 - openSUSE Leap 42.2 (i586 x86_64): redis-4.0.2-8.3.1 redis-debuginfo-4.0.2-8.3.1 redis-debugsource-4.0.2-8.3.1 References: https://www.suse.com/security/cve/CVE-2016-10517.html https://bugzilla.suse.com/1064980