Message ID | 20230322082921.2464069-1-changqing.li@windriver.com |
---|---|
State | New |
Headers | show |
Series | [kirkstone,meta-oe] redis: upgrade 7.0.9 -> 7.0.10 | expand |
On 3/22/23 4:29 AM, Changqing Li wrote: > From: Changqing Li <changqing.li@windriver.com> > > Upgrade urgency: SECURITY, contains fixes to security issues. > > Security Fixes: > > (CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service I am applying this to langdale then kirkstone -armin > > Bug Fixes > Large blocks of replica client output buffer may lead to PSYNC loops and unnecessary memory usage (#11666) > Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875) > Trim excessive memory usage in stream nodes when exceeding stream-node-max-bytes (#11885) > Fix module RM_Call commands failing with OOM when maxmemory is changed to zero (#11319) > > Signed-off-by: Changqing Li <changqing.li@windriver.com> > --- > .../recipes-extended/redis/{redis_7.0.9.bb => redis_7.0.10.bb} | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > rename meta-oe/recipes-extended/redis/{redis_7.0.9.bb => redis_7.0.10.bb} (96%) > > diff --git a/meta-oe/recipes-extended/redis/redis_7.0.9.bb b/meta-oe/recipes-extended/redis/redis_7.0.10.bb > similarity index 96% > rename from meta-oe/recipes-extended/redis/redis_7.0.9.bb > rename to meta-oe/recipes-extended/redis/redis_7.0.10.bb > index e4b2d45a4..5f972033f 100644 > --- a/meta-oe/recipes-extended/redis/redis_7.0.9.bb > +++ b/meta-oe/recipes-extended/redis/redis_7.0.10.bb > @@ -19,7 +19,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ > file://GNU_SOURCE.patch \ > file://0006-Define-correct-gregs-for-RISCV32.patch \ > " > -SRC_URI[sha256sum] = "f77135c2a47c9151d4028bfea3b34470ab4d324d1484f79a84c6f32a3cfb9f65" > +SRC_URI[sha256sum] = "1dee4c6487341cae7bd6432ff7590906522215a061fdef87c7d040a0cb600131" > > inherit autotools-brokensep update-rc.d systemd useradd > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#101631): https://lists.openembedded.org/g/openembedded-devel/message/101631 > Mute This Topic: https://lists.openembedded.org/mt/97773847/3616698 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 3/22/23 4:29 AM, Changqing Li wrote: > From: Changqing Li <changqing.li@windriver.com> > > Upgrade urgency: SECURITY, contains fixes to security issues. > > Security Fixes: > > (CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service Was this sent to master? > > Bug Fixes > Large blocks of replica client output buffer may lead to PSYNC loops and unnecessary memory usage (#11666) > Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875) > Trim excessive memory usage in stream nodes when exceeding stream-node-max-bytes (#11885) > Fix module RM_Call commands failing with OOM when maxmemory is changed to zero (#11319) > > Signed-off-by: Changqing Li <changqing.li@windriver.com> > --- > .../recipes-extended/redis/{redis_7.0.9.bb => redis_7.0.10.bb} | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > rename meta-oe/recipes-extended/redis/{redis_7.0.9.bb => redis_7.0.10.bb} (96%) > > diff --git a/meta-oe/recipes-extended/redis/redis_7.0.9.bb b/meta-oe/recipes-extended/redis/redis_7.0.10.bb > similarity index 96% > rename from meta-oe/recipes-extended/redis/redis_7.0.9.bb > rename to meta-oe/recipes-extended/redis/redis_7.0.10.bb > index e4b2d45a4..5f972033f 100644 > --- a/meta-oe/recipes-extended/redis/redis_7.0.9.bb > +++ b/meta-oe/recipes-extended/redis/redis_7.0.10.bb > @@ -19,7 +19,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ > file://GNU_SOURCE.patch \ > file://0006-Define-correct-gregs-for-RISCV32.patch \ > " > -SRC_URI[sha256sum] = "f77135c2a47c9151d4028bfea3b34470ab4d324d1484f79a84c6f32a3cfb9f65" > +SRC_URI[sha256sum] = "1dee4c6487341cae7bd6432ff7590906522215a061fdef87c7d040a0cb600131" > > inherit autotools-brokensep update-rc.d systemd useradd > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#101631): https://lists.openembedded.org/g/openembedded-devel/message/101631 > Mute This Topic: https://lists.openembedded.org/mt/97773847/3616698 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 3/22/23 19:23, akuster808 wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender > and know the content is safe. > > On 3/22/23 4:29 AM, Changqing Li wrote: >> From: Changqing Li <changqing.li@windriver.com> >> >> Upgrade urgency: SECURITY, contains fixes to security issues. >> >> Security Fixes: >> >> (CVE-2023-28425) Specially crafted MSETNX command can lead to >> assertion and denial-of-service > > Was this sent to master? Yes, It is another patch, because the context of the changed line is a little different. Regards Changqing >> >> Bug Fixes >> Large blocks of replica client output buffer may lead to PSYNC loops >> and unnecessary memory usage (#11666) >> Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875) >> Trim excessive memory usage in stream nodes when exceeding >> stream-node-max-bytes (#11885) >> Fix module RM_Call commands failing with OOM when maxmemory is >> changed to zero (#11319) >> >> Signed-off-by: Changqing Li <changqing.li@windriver.com> >> --- >> .../recipes-extended/redis/{redis_7.0.9.bb => redis_7.0.10.bb} | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> rename meta-oe/recipes-extended/redis/{redis_7.0.9.bb => >> redis_7.0.10.bb} (96%) >> >> diff --git a/meta-oe/recipes-extended/redis/redis_7.0.9.bb >> b/meta-oe/recipes-extended/redis/redis_7.0.10.bb >> similarity index 96% >> rename from meta-oe/recipes-extended/redis/redis_7.0.9.bb >> rename to meta-oe/recipes-extended/redis/redis_7.0.10.bb >> index e4b2d45a4..5f972033f 100644 >> --- a/meta-oe/recipes-extended/redis/redis_7.0.9.bb >> +++ b/meta-oe/recipes-extended/redis/redis_7.0.10.bb >> @@ -19,7 +19,7 @@ SRC_URI = >> "http://download.redis.io/releases/${BP}.tar.gz \ >> file://GNU_SOURCE.patch \ >> file://0006-Define-correct-gregs-for-RISCV32.patch \ >> " >> -SRC_URI[sha256sum] = >> "f77135c2a47c9151d4028bfea3b34470ab4d324d1484f79a84c6f32a3cfb9f65" >> +SRC_URI[sha256sum] = >> "1dee4c6487341cae7bd6432ff7590906522215a061fdef87c7d040a0cb600131" >> >> inherit autotools-brokensep update-rc.d systemd useradd >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#101631): >> https://lists.openembedded.org/g/openembedded-devel/message/101631 >> Mute This Topic: https://lists.openembedded.org/mt/97773847/3616698 >> Group Owner: openembedded-devel+owner@lists.openembedded.org >> Unsubscribe: >> https://lists.openembedded.org/g/openembedded-devel/unsub >> [akuster808@gmail.com] >> -=-=-=-=-=-=-=-=-=-=-=- >> >
What's the status of these changes? I don't see them in kirkstone-next/langdale-next nor contrib/stable/kirkstone-nut contrib/stable/langdale-nut The current meta-oe/kirkstone redis fails since 7.0.9 upgrade with: ERROR: redis-7.0.9-r0 do_patch: Fuzz detected: Applying patch GNU_SOURCE.patch patching file src/zmalloc.c Hunk #1 succeeded at 32 with fuzz 2 (offset 4 lines). ERROR: redis-7.0.9-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] And I don't see this issue fixed here. I'll send separate patch to fix just patch-fuzz. On Thu, Mar 23, 2023 at 2:33 AM Changqing Li <changqing.li@eng.windriver.com> wrote: > > On 3/22/23 19:23, akuster808 wrote: > > CAUTION: This email comes from a non Wind River email account! > > Do not click links or open attachments unless you recognize the sender > > and know the content is safe. > > > > On 3/22/23 4:29 AM, Changqing Li wrote: > >> From: Changqing Li <changqing.li@windriver.com> > >> > >> Upgrade urgency: SECURITY, contains fixes to security issues. > >> > >> Security Fixes: > >> > >> (CVE-2023-28425) Specially crafted MSETNX command can lead to > >> assertion and denial-of-service > > > > Was this sent to master? > > Yes, It is another patch, because the context of the changed line is a > little different. > > Regards > > Changqing > > >> > >> Bug Fixes > >> Large blocks of replica client output buffer may lead to PSYNC loops > >> and unnecessary memory usage (#11666) > >> Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875) > >> Trim excessive memory usage in stream nodes when exceeding > >> stream-node-max-bytes (#11885) > >> Fix module RM_Call commands failing with OOM when maxmemory is > >> changed to zero (#11319) > >> > >> Signed-off-by: Changqing Li <changqing.li@windriver.com> > >> --- > >> .../recipes-extended/redis/{redis_7.0.9.bb => redis_7.0.10.bb} | 2 > +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> rename meta-oe/recipes-extended/redis/{redis_7.0.9.bb => > >> redis_7.0.10.bb} (96%) > >> > >> diff --git a/meta-oe/recipes-extended/redis/redis_7.0.9.bb > >> b/meta-oe/recipes-extended/redis/redis_7.0.10.bb > >> similarity index 96% > >> rename from meta-oe/recipes-extended/redis/redis_7.0.9.bb > >> rename to meta-oe/recipes-extended/redis/redis_7.0.10.bb > >> index e4b2d45a4..5f972033f 100644 > >> --- a/meta-oe/recipes-extended/redis/redis_7.0.9.bb > >> +++ b/meta-oe/recipes-extended/redis/redis_7.0.10.bb > >> @@ -19,7 +19,7 @@ SRC_URI = > >> "http://download.redis.io/releases/${BP}.tar.gz \ > >> file://GNU_SOURCE.patch \ > >> file://0006-Define-correct-gregs-for-RISCV32.patch \ > >> " > >> -SRC_URI[sha256sum] = > >> "f77135c2a47c9151d4028bfea3b34470ab4d324d1484f79a84c6f32a3cfb9f65" > >> +SRC_URI[sha256sum] = > >> "1dee4c6487341cae7bd6432ff7590906522215a061fdef87c7d040a0cb600131" > >> > >> inherit autotools-brokensep update-rc.d systemd useradd > >> > >> > >> > >> > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#101640): > https://lists.openembedded.org/g/openembedded-devel/message/101640 > Mute This Topic: https://lists.openembedded.org/mt/97773847/3617156 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > Martin.Jansa@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
On 4/21/23 7:04 AM, Martin Jansa wrote: > What's the status of these changes? I don't see them in > kirkstone-next/langdale-next nor contrib/stable/kirkstone-nut > contrib/stable/langdale-nut My apologies. I had a question if Master was affected and it was so I forgot to keep an eye on the changes in Master for this package. Thanks for the reminder. - armin > > The current meta-oe/kirkstone redis fails since 7.0.9 upgrade with: > > ERROR: redis-7.0.9-r0 do_patch: Fuzz detected: > Applying patch GNU_SOURCE.patch > patching file src/zmalloc.c > Hunk #1 succeeded at 32 with fuzz 2 (offset 4 lines). > ERROR: redis-7.0.9-r0 do_patch: QA Issue: Patch log indicates that > patches do not apply cleanly. [patch-fuzz] > > And I don't see this issue fixed here. > > I'll send separate patch to fix just patch-fuzz. > > On Thu, Mar 23, 2023 at 2:33 AM Changqing Li > <changqing.li@eng.windriver.com> wrote: > > > On 3/22/23 19:23, akuster808 wrote: > > CAUTION: This email comes from a non Wind River email account! > > Do not click links or open attachments unless you recognize the > sender > > and know the content is safe. > > > > On 3/22/23 4:29 AM, Changqing Li wrote: > >> From: Changqing Li <changqing.li@windriver.com> > >> > >> Upgrade urgency: SECURITY, contains fixes to security issues. > >> > >> Security Fixes: > >> > >> (CVE-2023-28425) Specially crafted MSETNX command can lead to > >> assertion and denial-of-service > > > > Was this sent to master? > > Yes, It is another patch, because the context of the changed > line is a > little different. > > Regards > > Changqing > > >> > >> Bug Fixes > >> Large blocks of replica client output buffer may lead to PSYNC > loops > >> and unnecessary memory usage (#11666) > >> Fix CLIENT REPLY OFF|SKIP to not silence push notifications > (#11875) > >> Trim excessive memory usage in stream nodes when exceeding > >> stream-node-max-bytes (#11885) > >> Fix module RM_Call commands failing with OOM when maxmemory is > >> changed to zero (#11319) > >> > >> Signed-off-by: Changqing Li <changqing.li@windriver.com> > >> --- > >> .../recipes-extended/redis/{redis_7.0.9.bb > <http://redis_7.0.9.bb> => redis_7.0.10.bb > <http://redis_7.0.10.bb>} | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> rename meta-oe/recipes-extended/redis/{redis_7.0.9.bb > <http://redis_7.0.9.bb> => > >> redis_7.0.10.bb <http://redis_7.0.10.bb>} (96%) > >> > >> diff --git a/meta-oe/recipes-extended/redis/redis_7.0.9.bb > <http://redis_7.0.9.bb> > >> b/meta-oe/recipes-extended/redis/redis_7.0.10.bb > <http://redis_7.0.10.bb> > >> similarity index 96% > >> rename from meta-oe/recipes-extended/redis/redis_7.0.9.bb > <http://redis_7.0.9.bb> > >> rename to meta-oe/recipes-extended/redis/redis_7.0.10.bb > <http://redis_7.0.10.bb> > >> index e4b2d45a4..5f972033f 100644 > >> --- a/meta-oe/recipes-extended/redis/redis_7.0.9.bb > <http://redis_7.0.9.bb> > >> +++ b/meta-oe/recipes-extended/redis/redis_7.0.10.bb > <http://redis_7.0.10.bb> > >> @@ -19,7 +19,7 @@ SRC_URI = > >> "http://download.redis.io/releases/${BP}.tar.gz > <http://download.redis.io/releases/$%7BBP%7D.tar.gz> \ > >> file://GNU_SOURCE.patch \ > >> file://0006-Define-correct-gregs-for-RISCV32.patch \ > >> " > >> -SRC_URI[sha256sum] = > >> "f77135c2a47c9151d4028bfea3b34470ab4d324d1484f79a84c6f32a3cfb9f65" > >> +SRC_URI[sha256sum] = > >> "1dee4c6487341cae7bd6432ff7590906522215a061fdef87c7d040a0cb600131" > >> > >> inherit autotools-brokensep update-rc.d systemd useradd > >> > >> > >> > >> > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#101640): > https://lists.openembedded.org/g/openembedded-devel/message/101640 > Mute This Topic: https://lists.openembedded.org/mt/97773847/3617156 > Group Owner: openembedded-devel+owner@lists.openembedded.org > <mailto:openembedded-devel%2Bowner@lists.openembedded.org> > Unsubscribe: > https://lists.openembedded.org/g/openembedded-devel/unsub > [Martin.Jansa@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.9.bb b/meta-oe/recipes-extended/redis/redis_7.0.10.bb similarity index 96% rename from meta-oe/recipes-extended/redis/redis_7.0.9.bb rename to meta-oe/recipes-extended/redis/redis_7.0.10.bb index e4b2d45a4..5f972033f 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.9.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.10.bb @@ -19,7 +19,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://GNU_SOURCE.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ " -SRC_URI[sha256sum] = "f77135c2a47c9151d4028bfea3b34470ab4d324d1484f79a84c6f32a3cfb9f65" +SRC_URI[sha256sum] = "1dee4c6487341cae7bd6432ff7590906522215a061fdef87c7d040a0cb600131" inherit autotools-brokensep update-rc.d systemd useradd