-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenStack Platform 13.0 (redis) security update Advisory ID: RHSA-2021:3980-01 Product: Red Hat OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:3980 Issue date: 2021-10-25 CVE Names: CVE-2021-32626 CVE-2021-32627 CVE-2021-32628 CVE-2021-32675 CVE-2021-32687 CVE-2021-41099 ===================================================================== 1. Summary: An update for redis is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 13.0 - ELS - ppc64le, x86_64 Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - x86_64 3. Description: Redis is an advanced key-value store. Security Fix(es): * Lua scripts can overflow the heap-based Lua stack (CVE-2021-32626) * Integer overflow issue with Streams (CVE-2021-32627) * Integer overflow bug in the ziplist data structure (CVE-2021-32628) * Denial of service via Redis Standard Protocol (RESP) request (CVE-2021-32675) * Integer overflow issue with intsets (CVE-2021-32687) * Integer overflow issue with strings (CVE-2021-41099) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2010991 - CVE-2021-32687 redis: Integer overflow issue with intsets 2011000 - CVE-2021-32675 redis: Denial of service via Redis Standard Protocol (RESP) request 2011004 - CVE-2021-32628 redis: Integer overflow bug in the ziplist data structure 2011010 - CVE-2021-32627 redis: Integer overflow issue with Streams 2011017 - CVE-2021-32626 redis: Lua scripts can overflow the heap-based Lua stack 2011020 - CVE-2021-41099 redis: Integer overflow issue with strings 6. Package List: Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server: Source: redis-3.2.8-5.el7ost.src.rpm x86_64: redis-3.2.8-5.el7ost.x86_64.rpm redis-debuginfo-3.2.8-5.el7ost.x86_64.rpm Red Hat OpenStack Platform 13.0 - ELS: Source: redis-3.2.8-5.el7ost.src.rpm ppc64le: redis-3.2.8-5.el7ost.ppc64le.rpm redis-debuginfo-3.2.8-5.el7ost.ppc64le.rpm x86_64: redis-3.2.8-5.el7ost.x86_64.rpm redis-debuginfo-3.2.8-5.el7ost.x86_64.rpm Red Hat OpenStack Platform 13.0 - ELS: Source: redis-3.2.8-5.el7ost.src.rpm ppc64le: redis-3.2.8-5.el7ost.ppc64le.rpm redis-debuginfo-3.2.8-5.el7ost.ppc64le.rpm x86_64: redis-3.2.8-5.el7ost.x86_64.rpm redis-debuginfo-3.2.8-5.el7ost.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-32626 https://access.redhat.com/security/cve/CVE-2021-32627 https://access.redhat.com/security/cve/CVE-2021-32628 https://access.redhat.com/security/cve/CVE-2021-32675 https://access.redhat.com/security/cve/CVE-2021-32687 https://access.redhat.com/security/cve/CVE-2021-41099 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYXbv79zjgjWX9erEAQgI3hAAp96wcKU4Xrla9SyeyEaoL5OhChmmRW+4 XKZZGDniF2eF2ZGSNOINNTD5bhh0t7CGWxp/s/sm2mDui6JwsWRebr3HM7UalZAU O0k2xganoFvtFL0dupH/0TpuTxhndZ93SHMsllSVjSQwpIM9GhJk12dfJwaSBaCH HDl1WysSlo41/JqdpQxgzUWnf92J+Vgx9JMK3hSur/JKrxKyRSzT7+3ZRBsIgDsO aRBs9cLcf16eplUrtoSIOfdOSK18owrpuAh8rFig2GgxvwmALMpOOZ4O3iOsSNTX f2qJ+XbFOysvnt7eCr0at0/04J73hiotfe3MBX78dvArp615Q4IyMPw/RuUvBP0a QXuRNhU28pWJV7/wFZQcX8H0sEQ0/jNRnBXM4GEJ80yz3ngB/PrIfB2BhrGSJIO0 UPGfuFwZJQ4mQ3ITAPiUugtUunldjiX1YP4L/l+aMkX2D9Xp1ocmB8bbwUpfEGud hq0iznimVSagyqj4iB2hJohgi4QShrboF29rOXNKiVmoA6/VCFYVMVWRpog2q2ZW ygCnbk4P+xAkohDwlrlBKUZf8gY6s839hxETrIGExrSq9TLomgxOztyLL/e2VhO/ R+OoY/ER8bk/ioUAycv8db4o7VVUBNN2LzaLlq0dzWWU0u+7KQlz/xyGYPic1su5 vWKDzcu0cBA= =GCk/ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce