Amazon Linux 2023 Security Advisory: ALAS-2023-164
Advisory Release Date: 2023-04-27 20:00 Pacific
Advisory Updated Date: 2023-05-03 13:24 Pacific
Severity:
Medium
Issue Overview:
Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in Redis version 7.0.10. (CVE-2023-28425)
Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that may later crash Redis on access. (CVE-2023-28856)
Affected Packages:
redis6
Issue Correction:
Run dnf update redis6 --releasever 2023.0.20230503 to update your system.
New Packages:
aarch64:
redis6-devel-6.2.12-1.amzn2023.0.1.aarch64
redis6-debuginfo-6.2.12-1.amzn2023.0.1.aarch64
redis6-6.2.12-1.amzn2023.0.1.aarch64
redis6-debugsource-6.2.12-1.amzn2023.0.1.aarch64
noarch:
redis6-doc-6.2.12-1.amzn2023.0.1.noarch
src:
redis6-6.2.12-1.amzn2023.0.1.src
x86_64:
redis6-debuginfo-6.2.12-1.amzn2023.0.1.x86_64
redis6-devel-6.2.12-1.amzn2023.0.1.x86_64
redis6-6.2.12-1.amzn2023.0.1.x86_64
redis6-debugsource-6.2.12-1.amzn2023.0.1.x86_64