Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4050
Optional update for python-redis and redis
13 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-redis
redis
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-11219 CVE-2018-11218 CVE-2017-15047
CVE-2016-10517 CVE-2016-8339 CVE-2015-8080
CVE-2013-7458
Reference: ASB-2019.0109
ESB-2019.2810
ESB-2019.0146
ESB-2018.1869
ESB-2018.1850
Original Bulletin:
https://www.suse.com/support/update/announcement/2020/suse-ou-20203291-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Optional Update: Optional update for python-redis and redis
______________________________________________________________________________
Announcement ID: SUSE-OU-2020:3291-1
Rating: moderate
References: #1002351 #1047218 #1061967 #1064980 #1097430 #1131555
#798455 #835815 #991250
Affected Products:
SUSE Linux Enterprise Module for Server Applications 15-SP2
______________________________________________________________________________
An update that solves 7 vulnerabilities, contains four features and has two
fixes is now available.
Description:
This optional update for python-redis and redis provides the following fixes
python-redis:
o Update to version to 3.4.1 (jsc#ECO-2417) * Move the username argument in
the Redis and Connection classes to the end of the argument list. This
helps those poor souls that specify all their connection options as
non-keyword arguments. * Prior to ACL support, redis-py ignored the
username component of Connection URLs. With ACL support, usernames are no
longer ignored and are used to authenticate against an ACL rule. Some cloud
vendors with managed Redis instances (like Heroku) provide connection URLs
with a username component pre-ACL that is not intended to be used. Sending
that username to Redis servers < 6.0.0 results in an error. Attempt to
detect this condition and retry the AUTH command with only the password
such that authentication continues to work for these users. * Removed the
__eq__ hooks to Redis and ConnectionPool that were added in 3.4.0. This
ended up being a bad idea as two separate connection pools be considered
equal yet manage a completely separate set of connections. * Allow empty
pipelines to be executed if there are WATCHed keys. This is a convenient
way to test if any of the watched keys changed without actually running any
other commands. * Removed support for end of life Python 3.4. * Added
support for all ACL commands in Redis 6. * Pipeline instances now always
evaluate to True. Prior to this change, pipeline instances relied on
__len__ for boolean evaluation which meant that pipelines with no commands
on the stack would be considered False. * Client instances and Connection
pools now support a 'client_name' argument. If supplied, all connections
created will call CLIENT SETNAME as soon as the connection is opened. *
Added the 'ssl_check_hostname' argument to specify whether SSL connections
should require the server hostname to match the hostname specified in the
SSL cert. By default 'ssl_check_hostname' is False for backwards
compatibility. * Added support for the TYPE argument to SCAN. * Better
thread and fork safety in ConnectionPool and BlockingConnectionPool. Added
better locking to synchronize critical sections rather than relying on
CPython-specific implementation details relating to atomic operations.
Adjusted how the pools identify and deal with a fork. Added a
ChildDeadlockedError exception that is raised by child processes in the
very unlikely chance that a deadlock is encountered. * Further fix for the
SSLError -> TimeoutError mapping to work on obscure releases of Python 2.7.
* Fixed a potential error handling bug for the SSLError -> TimeoutError
mapping introduced in 3.3.9. * Mapped Python 2.7 SSLError to TimeoutError
where appropriate. Timeouts should now consistently raise TimeoutErrors on
Python 2.7 for both unsecured and secured connections. * Fixed MONITOR
parsing to properly parse IPv6 client addresses * Fixed a regression
introduced in 3.3.0 * Resolve a race condition with the PubSubWorkerThread.
* Response callbacks are now case insensitive. * Added support for
hiredis-py 1.0.0 encoding error support. * Add READONLY and READWRITE
commands. * Added extensive health checks that keep the connections lively.
* Many more changes, see upstream changelog. * Add missing build dependency
setuptools * Fix SentinelConnectionPool to work in multiprocess/forked
environments
o Update to 3.2.0 (bsc#1131555) * Added support for `select.poll` to test
whether data can be read on a socket. This should allow for significantly
more connections to be used with pubsub. * Attempt to guarentee that the
ConnectionPool hands out healthy connections. Healthy connections are those
that have an established socket connection to the Redis server, are ready
to accept a command and have no data available to read. * Use the
socket.IPPROTO_TCP constant instead of socket.SOL_TCP. IPPROTO_TCP is
available on more interpreters (Jython for instance). * Fixed a regression
introduced in 3.0 that mishandles exceptions not derived from the base
Exception class. KeyboardInterrupt and gevent.timeout notable. *
Significant improvements to handing connections with forked processes.
Parent and child processes no longer trample on each others' connections. *
PythonParser no longer closes the associated connection's socket. The
connection itself will close the socket. * Connection URLs must have one of
the following schemes: redis://, rediss://, unix://. * Fixed an issue with
retry_on_timeout logic that caused some TimeoutErrors to be retried. *
Added support for SNI for SSL. * Fixed ConnectionPool repr for pools with
no connections. * Fixed GEOHASH to return a None value when specifying a
place that doesn't exist on the server. * Fixed XREADGROUP to return an
empty dictionary for messages that have been deleted but still exist in the
unacknowledged queue. * Added an owned method to Lock objects. owned
returns a boolean indicating whether the current lock instance still owns
the lock. * Allow lock.acquire() to accept an optional token argument. If
provided, the token argument is used as the unique value used to claim the
lock. * Added a reacquire method to Lock objects. reaquire attempts to
renew the lock such that the timeout is extended to the same value that the
lock was initially acquired with. * Stream names found within XREAD and
XREADGROUP responses now properly respect the decode_responses flag. *
XPENDING_RANGE now requires the user the specify the min, max and count
arguments. Newer versions of Redis prevent count from being infinite so
it's left to the user to specify these values explicitly. * ZADD now
returns None when xx=True and incr=True and an element is specified that
doesn't exist in the sorted set. This matches what the server returns in
this case. * Added client_kill_filter that accepts various filters to
identify and kill clients. * Fixed a race condition that occurred when
unsubscribing and resubscribing to the same channel or pattern in rapid
succession. * Added a LockNotOwnedError that is raised when trying to
extend or release a lock that is no longer owned. This is a subclass of
LockError so previous code should continue to work as expected. * Fixed a
bug in GEORADIUS that forced decoding of places without respecting the
decode_responses option. * add recommendation for python-hiredis * Fixed
regression with UnixDomainSocketConnection caused by 3.0.0. * Fixed an
issue with the new asynchronous flag on flushdb and flushall. * Updated
Lock.locked() method to indicate whether *any* process has acquired the
lock, not just the current one. This is in line with the behavior of
threading.Lock.
o Update to version 3.0.0: BACKWARDS INCOMPATIBLE CHANGES * When using a Lock
as a context manager and the lock fails to be acquired a LockError is now
raised. This prevents the code block inside the context manager from being
executed if the lock could not be acquired. * Renamed LuaLock to Lock. *
Removed the pipeline based Lock implementation in favor of the LuaLock
implementation. * Only bytes, strings and numbers (ints, longs and floats)
are acceptable for keys and values. Previously redis-py attempted to cast
other types to str() and store the result. This caused must confusion and
frustration when passing boolean values (cast to 'True' and 'False') or
None values (cast to 'None'). It is now the user's responsibility to cast
all key names and values to bytes, strings or numbers before passing the
value to redis-py. * The StrictRedis class has been renamed to Redis.
StrictRedis will continue to exist as an alias of Redis for the forseeable
future. * The legacy Redis client class has been removed. It caused much
confusion to users. * ZINCRBY arguments 'value' and 'amount' have swapped
order to match the the Redis server. The new argument order is: keyname,
amount, value. * MGET no longer raises an error if zero keys are passed in.
Instead an empty list is returned. * MSET and MSETNX now require all keys/
values to be specified in a single dictionary argument named mapping. This
was changed to allow for future options to these commands in the future. *
ZADD now requires all element names/scores be specified in a single
dictionary argument named mapping. This was required to allow the NX, XX,
CH and INCR options to be specified. OTHER CHANGES * Added missing DECRBY
command. * CLUSTER INFO and CLUSTER NODES respones are now properly decoded
to strings. * Added a 'locked()' method to Lock objects. This method
returns True if the lock has been acquired and owned by the current
process, otherwise False. * EXISTS now supports multiple keys. It's return
value is now the number of keys in the list that exist. * Ensure all
commands can accept key names as bytes. This fixes issues with BLPOP, BRPOP
and SORT. * All errors resulting from bad user input are raised as
DataError exceptions. DataError is a subclass of RedisError so this should
be transparent to anyone previously catching these. * Added support for NX,
XX, CH and INCR options to ZADD * Added support for the MIGRATE command *
Added support for the MEMORY USAGE and MEMORY PURGE commands. * Added
support for the 'asynchronous' argument to FLUSHDB and FLUSHALL commands. *
Added support for the BITFIELD command. * Improved performance on pipeline
requests with large chunks of data. * Fixed test suite to not fail if
another client is connected to the server the tests are running against. *
Added support for SWAPDB. * Added support for all STREAM commands. *
SHUTDOWN now accepts the 'save' and 'nosave' arguments. * Added support for
ZPOPMAX, ZPOPMIN, BZPOPMAX, BZPOPMIN. * Added support for the 'type'
argument in CLIENT LIST. * Added support for CLIENT PAUSE. * Added support
for CLIENT ID and CLIENT UNBLOCK. * GEODIST now returns a None value when
referencing a place that does not exist. * Added a ping() method to pubsub
objects. * Fixed a bug with keys in the INFO dict that contained ':'
symbols. * ssl_cert_reqs now has a default value of 'required' by default.
This should make connecting to a remote Redis server over SSL more secure.
* max_connections is now a valid querystring argument for creating
connection pools from URLs. * Added the UNLINK command. * Added socket_type
option to Connection for configurability. * Lock.do_acquire now atomically
sets acquires the lock and sets the expire value via set(nx=True, px=
timeout). * Added 'count' argument to SPOP. * Fixed an issue parsing
client_list respones that contained an '='. * Fix rounding issues with
geolocation, it is not stable enought to produce pinpoint equal results
among 32bit platforms * Run tests by launching redis server * Require redis
on runtime
redis:
o Update to version 6.0.8 (jsc#PM-1615, jsc#PM-1622, jsc#PM-1681, jsc#
ECO-2867, jsc#PM-1547, jsc#CAPS-56, jsc#SLE-11578, jsc#SLE-12821) * bug
fixes when using with Sentinel * bug fixes when using CONFIG REWRITE *
Remove THP warning when set to madvise * Allow EXEC with read commands on
readonly replica in cluster * Add masters/replicas options to redis-cli
--cluster call command * CONFIG SET could hung the client when arrives
during RDB/ROF loading * LPOS command when RANK is greater than matches
responded with broken protocol * Add oom-score-adj configuration option to
control Linux OOM killer * Show IO threads statistics and status in INFO
output * Add optional tls verification mode (see tls-auth-clients) * Fix
crash when enabling CLIENT TRACKING with prefix * EXEC always fails with
EXECABORT and multi-state is cleared * RESTORE ABSTTL won't store expired
keys into the db * redis-cli better handling of non-pritable key names *
TLS: Ignore client cert when tls-auth-clients off * Tracking: fix
invalidation message on flush * Notify systemd on Sentinel startup * Fix
crash on a misuse of STRALGO * Fix a few rare leaks (STRALGO error misuse,
Sentinel) * Fix a possible invalid access in defrag of scripts * Add LPOS
command to search in a list * Use user+pass for MIGRATE in redis-cli and
redis-benchmark in cluster mode * redis-cli support TLS for --pipe, --rdb
and --replica options * TLS: Session caching configuration support * Fix
handling of speical chars in ACL LOAD * Make Redis Cluster more robust
about operation errors that may lead to two clusters to mix together *
Revert the sendfile() implementation of RDB transfer * Fix TLS certificate
loading for chained certificates * Fix AOF rewirting of KEEPTTL SET option
* Fix MULTI/EXEC behavior during -BUSY script errors * fix a severe
replication bug introduced in Redis 6 by the "meaningful offset" feature *
fix a crash introduced in 6.0.2 * fix to client side caching when keys are
evicted from the tracking table but no notifications are sent * add BR
pkgconfig(libsystemd) for the rewritten systemd support and force building
with it * XCLAIM AOF/replicas propagation fixed. * Client side caching: new
NOLOOP option to avoid getting notified about changes performed by
ourselves. * ACL GENPASS now uses HMAC-SHA256 and have an optional "bits"
argument. It means you can use it as a general purpose "secure random
strings" primitive! * Cluster "SLOTS" subcommand memory optimization. * The
LCS command is now a subcommand of STRALGO. * Meaningful offset for
replicas as well. More successful partial resynchronizations. * Optimize
memory usage of deferred replies. * Faster CRC64 algorithm for faster RDB
loading. * XINFO STREAM FULL, a new subcommand to get the whole stream
state. * CLIENT KILL USER . * MIGRATE AUTH2 option, for ACL style
authentication support. * use libatomic also on ppc * add hash file from
redis-hashes and verify it during build
Patch Instructions:
To install this SUSE Optional Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Module for Server Applications 15-SP2:
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-3291=1
Package List:
o SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64
ppc64le s390x x86_64):
redis-6.0.8-1.3.1
redis-debuginfo-6.0.8-1.3.1
redis-debugsource-6.0.8-1.3.1
References:
o https://www.suse.com/security/cve/CVE-2013-7458.html
o https://www.suse.com/security/cve/CVE-2015-8080.html
o https://www.suse.com/security/cve/CVE-2016-10517.html
o https://www.suse.com/security/cve/CVE-2016-8339.html
o https://www.suse.com/security/cve/CVE-2017-15047.html
o https://www.suse.com/security/cve/CVE-2018-11218.html
o https://www.suse.com/security/cve/CVE-2018-11219.html
o https://bugzilla.suse.com/1002351
o https://bugzilla.suse.com/1047218
o https://bugzilla.suse.com/1061967
o https://bugzilla.suse.com/1064980
o https://bugzilla.suse.com/1097430
o https://bugzilla.suse.com/1131555
o https://bugzilla.suse.com/798455
o https://bugzilla.suse.com/835815
o https://bugzilla.suse.com/991250
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX64GZuNLKJtyKPYoAQhJpw//aA3xp2CbpUUc1UbV7iSAwIlkE4YibaY6
xrAUF6mFSO11IzyFtPSL1E669Ot3U4HnIKAZ6cS09H5tARW71pp99MQrld8ahzTV
NMJwVpyjKffjJ4PsY1maXliA6NI0aW/gZGEzHy0HP/KWd5qYm4fTAnkDnfpfdxCk
KH01SeAJNilqBGn0vsL0khw9dZQ/cB0IOOcO6Hm8CA/2Jv56vaRZb8N5aEaImZRo
Pvdpy8GhPJBykzpMJXSA9sdJNaBMBD8G8c+3AjpX6upm4MaGsLPE+mkD2mKdGuv+
RwDJgubGWbNGbJOA4gA4av3676IPnV6SVBJm55upEk8sW856E3RPHn05tUFr7nD4
n9Y8GUYtzKbFkOwXhz6caLCrhOOu8zQ+Bjn1PxvZJJTQWZP85XhDQmayWvgAlH4j
76x74SrxNXJdMDnkIzugXDGFXC3dqFNXtOeqg5qNARrPQqCy0zcG2GteHJyA2vQ/
tNJuW1wjC2Eb4VrMAMpLZnE7OoIRlns0o1/YCyuz8gsi1MPSVV26QSIS6IZnM8HF
sXYbtxuMlyJDtbGF6/HH3EGVCNPUHne9UUYafX37z26enG2zai2cHDTfAC8t4rB+
o9bfxp2Q3JkA+Ou10lBfhWVNPHtAngB5h22Wa/wjCzIQ3KStlaFpgw34nb6aP2rC
6aCNdfeFFJE=
=IvYk
-----END PGP SIGNATURE-----