Subject: CVS commit: [pkgsrc-2021Q3] pkgsrc/databases/redis
From: Thomas Merkel
Date: 2021-10-06 23:12:46
Message id: 20211006211246.B824FFA97@cvs.NetBSD.org
Log Message:
Pullup ticket #6503 - requested by taca
databases/redis: security fix

Revisions pulled up:
- databases/redis/Makefile                                      1.72
- databases/redis/distinfo                                      1.63
- databases/redis/patches/patch-src_Makefile                    1.5

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Mon Oct  4 18:55:36 UTC 2021

   Modified Files:
   	pkgsrc/databases/redis: Makefile distinfo
   	pkgsrc/databases/redis/patches: patch-src_Makefile

   Log Message:
   redis: updated to 6.2.6

   Redis 6.2.6

   Upgrade urgency: SECURITY, contains fixes to security issues.

   Security Fixes:
   * (CVE-2021-41099) Integer to heap buffer overflow handling certain string
     commands and network payloads, when proto-max-bulk-len is manually configured
     to a non-default, very large value [reported by yiyuaner].
   * (CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and
     redis-sentinel parsing large multi-bulk replies on some older and less common
     platforms [reported by Microsoft Vulnerability Research].
   * (CVE-2021-32687) Integer to heap buffer overflow with intsets, when
     set-max-intset-entries is manually configured to a non-default, very large
     value [reported by Pawel Wieczorkiewicz, AWS].
   * (CVE-2021-32675) Denial Of Service when processing RESP request payloads with
     a large number of elements on many connections.
   * (CVE-2021-32672) Random heap reading issue with Lua Debugger [reported by
     Meir Shpilraien].
   * (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded
     data types, when configuring a large, non-default value for
     hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries
     or zset-max-ziplist-value [reported by sundb].
   * (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when
     configuring a non-default, large value for proto-max-bulk-len and
     client-query-buffer-limit [reported by sundb].
   * (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer
     overflow [reported by Meir Shpilraien].

   Bug fixes that involve behavior changes:
   * GEO* STORE with empty source key deletes the destination key and return 0
     Previously it would have returned an empty array like the non-STORE variant.
   * PUBSUB NUMPAT replies with number of patterns rather than number of \ 
subscriptions
     This actually changed in 6.2.0 but was overlooked and omitted from the \ 
release notes.

   Bug fixes that are only applicable to previous releases of Redis 6.2:
   * Fix CLIENT PAUSE, used an old timeout from previous PAUSE
   * Fix CLIENT PAUSE in a replica would mess the replication offset
   * Add some missing error statistics in INFO errorstats

   Other bug fixes:
   * Fix incorrect reply of COMMAND command key positions for MIGRATE command
   * Fix appendfsync to always guarantee fsync before reply, on MacOS and \ 
FreeBSD (kqueue)
   * Fix the wrong mis-detection of sync_file_range system call, affecting \ 
performance

   CLI tools:
   * When redis-cli received ASK response, it didn't handle it

   Improvements:
   * Add latency monitor sample when key is deleted via lazy expire
   * Sanitize corrupt payload improvements
   * Delete empty keys when loading RDB file or handling a RESTORE command
Files:
RevisionActionfile
1.71.2.1modifypkgsrc/databases/redis/Makefile
1.62.2.1modifypkgsrc/databases/redis/distinfo
1.4.6.1modifypkgsrc/databases/redis/patches/patch-src_Makefile