Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package redis for openSUSE:Factory checked in at 2022-07-31 23:00:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/redis (Old)
and /work/SRC/openSUSE:Factory/.redis.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "redis"
Sun Jul 31 23:00:33 2022 rev:81 rq:990008 version:7.0.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/redis/redis.changes 2022-07-13 13:44:50.925985887 +0200
+++ /work/SRC/openSUSE:Factory/.redis.new.1533/redis.changes 2022-07-31 23:00:45.687659926 +0200
@@ -1,0 +2,8 @@
+Mon Jul 18 14:36:34 UTC 2022 - Michael Str��der
+
+- Security update to version 7.0.4
+ (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream
+ key in a specific state may result with heap overflow, and potentially
+ remote code execution. The problem affects Redis versions 7.0.0 or newer.
+
+-------------------------------------------------------------------
Old:
----
redis-7.0.3.tar.gz
New:
----
redis-7.0.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ redis.spec ++++++
--- /var/tmp/diff_new_pack.mHAvCF/_old 2022-07-31 23:00:46.243661542 +0200
+++ /var/tmp/diff_new_pack.mHAvCF/_new 2022-07-31 23:00:46.247661553 +0200
@@ -20,7 +20,7 @@
%define _log_dir %{_localstatedir}/log/%{name}
%define _conf_dir %{_sysconfdir}/%{name}
Name: redis
-Version: 7.0.3
+Version: 7.0.4
Release: 0
Summary: Persistent key-value database
License: BSD-3-Clause
++++++ redis-7.0.3.tar.gz -> redis-7.0.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-7.0.3/00-RELEASENOTES new/redis-7.0.4/00-RELEASENOTES
--- old/redis-7.0.3/00-RELEASENOTES 2022-07-11 16:44:20.000000000 +0200
+++ new/redis-7.0.4/00-RELEASENOTES 2022-07-18 15:04:07.000000000 +0200
@@ -13,6 +13,17 @@
================================================================================
+Redis 7.0.4 Released Monday Jul 18 12:00:00 IST 2022
+================================================================================
+
+Upgrade urgency: SECURITY, contains fixes to security issues.
+
+Security Fixes:
+* (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream
+ key in a specific state may result with heap overflow, and potentially
+ remote code execution. The problem affects Redis versions 7.0.0 or newer.
+
+================================================================================
Redis 7.0.3 Released Monday Jul 11 12:00:00 IST 2022
================================================================================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-7.0.3/src/script_lua.c new/redis-7.0.4/src/script_lua.c
--- old/redis-7.0.3/src/script_lua.c 2022-07-11 16:44:20.000000000 +0200
+++ new/redis-7.0.4/src/script_lua.c 2022-07-18 15:04:07.000000000 +0200
@@ -334,7 +334,7 @@
/* push a field indicate to ignore updating the stats on this error
* because it was already updated when executing the command. */
lua_pushstring(lua,"ignore_error_stats_update");
- lua_pushboolean(lua, true);
+ lua_pushboolean(lua, 1);
lua_settable(lua,-3);
}
@@ -891,7 +891,7 @@
/* push a field indicate to ignore updating the stats on this error
* because it was already updated when executing the command. */
lua_pushstring(lua,"ignore_error_stats_update");
- lua_pushboolean(lua, true);
+ lua_pushboolean(lua, 1);
lua_settable(lua,-3);
goto cleanup;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-7.0.3/src/t_stream.c new/redis-7.0.4/src/t_stream.c
--- old/redis-7.0.3/src/t_stream.c 2022-07-11 16:44:20.000000000 +0200
+++ new/redis-7.0.4/src/t_stream.c 2022-07-18 15:04:07.000000000 +0200
@@ -3421,6 +3421,7 @@
/* Remember the ID for later */
deleted_ids[deleted_id_num++] = id;
raxSeek(&ri,">=",ri.key,ri.key_len);
+ count--; /* Count is a limit of the command response size. */
continue;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-7.0.3/src/version.h new/redis-7.0.4/src/version.h
--- old/redis-7.0.3/src/version.h 2022-07-11 16:44:20.000000000 +0200
+++ new/redis-7.0.4/src/version.h 2022-07-18 15:04:07.000000000 +0200
@@ -1,2 +1,2 @@
-#define REDIS_VERSION "7.0.3"
-#define REDIS_VERSION_NUM 0x00070003
+#define REDIS_VERSION "7.0.4"
+#define REDIS_VERSION_NUM 0x00070004
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-7.0.3/tests/unit/type/stream-cgroups.tcl new/redis-7.0.4/tests/unit/type/stream-cgroups.tcl
--- old/redis-7.0.3/tests/unit/type/stream-cgroups.tcl 2022-07-11 16:44:20.000000000 +0200
+++ new/redis-7.0.4/tests/unit/type/stream-cgroups.tcl 2022-07-18 15:04:07.000000000 +0200
@@ -584,9 +584,9 @@
# from the PEL of consumer 1, this should return nil
r XDEL mystream $id2
- # id1 and id3 are self-claimed here but not id2 ('count' was set to 2)
+ # id1 and id3 are self-claimed here but not id2 ('count' was set to 3)
# we make sure id2 is indeed skipped (the cursor points to id4)
- set reply [r XAUTOCLAIM mystream mygroup consumer2 10 - COUNT 2]
+ set reply [r XAUTOCLAIM mystream mygroup consumer2 10 - COUNT 3]
assert_equal [llength $reply] 3
assert_equal [lindex $reply 0] $id4
@@ -595,6 +595,8 @@
assert_equal [llength [lindex $reply 1 0 1]] 2
assert_equal [lindex $reply 1 0 1] {a 1}
assert_equal [lindex $reply 1 1 1] {c 3}
+ assert_equal [llength [lindex $reply 2]] 1
+ assert_equal [llength [lindex $reply 2 0]] 1
# Delete item 3 from the stream. Now consumer 1 has PEL that is empty.
# Try to use consumer 2 to claim the deleted item 3 from the PEL
@@ -701,6 +703,21 @@
assert_equal [r XPENDING x grp - + 10 Alice] {}
}
+ test {XAUTOCLAIM with XDEL and count} {
+ r DEL x
+ r XADD x 1-0 f v
+ r XADD x 2-0 f v
+ r XADD x 3-0 f v
+ r XGROUP CREATE x grp 0
+ assert_equal [r XREADGROUP GROUP grp Alice STREAMS x >] {{x {{1-0 {f v}} {2-0 {f v}} {3-0 {f v}}}}}
+ r XDEL x 1-0
+ r XDEL x 2-0
+ assert_equal [r XAUTOCLAIM x grp Bob 0 0-0 COUNT 1] {2-0 {} 1-0}
+ assert_equal [r XAUTOCLAIM x grp Bob 0 2-0 COUNT 1] {3-0 {} 2-0}
+ assert_equal [r XAUTOCLAIM x grp Bob 0 3-0 COUNT 1] {0-0 {{3-0 {f v}}} {}}
+ assert_equal [r XPENDING x grp - + 10 Alice] {}
+ }
+
test {XCLAIM with trimming} {
r DEL x
r config set stream-node-max-entries 2
++++++ redis.hashes ++++++
--- /var/tmp/diff_new_pack.mHAvCF/_old 2022-07-31 23:00:46.719662924 +0200
+++ /var/tmp/diff_new_pack.mHAvCF/_new 2022-07-31 23:00:46.723662937 +0200
@@ -141,4 +141,5 @@
hash redis-7.0.1.tar.gz sha256 ca1820d527e4759884620be2917079e61e996fa81da5fbe5c07c4a7b507264dc http://download.redis.io/releases/redis-7.0.1.tar.gz
hash redis-7.0.2.tar.gz sha256 5e57eafe7d4ac5ecb6a7d64d6b61db775616dbf903293b3fcc660716dbda5eeb http://download.redis.io/releases/redis-7.0.2.tar.gz
hash redis-7.0.3.tar.gz sha256 2cde7d17214ffe305953da9fff12333e8a72caa57fd4923e4872f6362a208e73 http://download.redis.io/releases/redis-7.0.3.tar.gz
+hash redis-7.0.4.tar.gz sha256 f0e65fda74c44a3dd4fa9d512d4d4d833dd0939c934e946a5c622a630d057f2f http://download.redis.io/releases/redis-7.0.4.tar.gz