FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-28 14:09:37 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
5fa68bd9-95d9-11ed-811a-080027f5fec9redis -- multiple vulnerabilities

The Redis core team reports:

CVE-2022-35977
Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic.
CVE-2023-22458
Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service.

Discovery 2023-01-16
Entry 2023-01-16
redis
< 7.0.8

redis-devel
< 7.0.8.20230116

redis62
< 6.2.9

redis6
< 6.0.17

CVE-2022-35977
CVE-2023-22458
https://github.com/redis/redis/releases/tag/7.0.8
6fae2d6c-1f38-11ee-a475-080027f5fec9redis -- heap overflow in COMMAND GETKEYS and ACL evaluation

Redis core team reports:

Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules.


Discovery 2023-07-10
Entry 2023-07-10
redis
< 7.0.12

redis-devel
< 7.0.12.20230710

CVE-2023-36824
https://groups.google.com/g/redis-db/c/JDjKS0GubsQ
https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3
8706e097-6db7-11ee-8744-080027f5fec9redis -- Possible bypassing Unix socket permissions

Redis core team reports:

The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup.


Discovery 2023-10-18
Entry 2023-10-18
redis
< 7.2.2

redis-devel
< 7.2.2.20231018

redis70
< 7.0.14

redis62
< 6.2.14

CVE-2023-45145
https://groups.google.com/g/redis-db/c/r81pHa-dcI8
6c72b13f-4d1d-11ee-a7f1-080027f5fec9redis -- Possible bypassing ACL configuration

yangbodong22011 reports:

Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration.


Discovery 2023-09-06
Entry 2023-09-07
redis
ge 7.0.0 lt 7.0.13

ge 7.2.0 lt 7.2.1

redis-devel
< 7.2.0.20230831

redis70
ge 7.0.0 lt 7.0.13

CVE-2023-41053
https://github.com/redis/redis/security/advisories/GHSA-q4jr-5p56-4xwc
a60cc0e4-c7aa-11ed-8a4b-080027f5fec9redis -- specially crafted MSETNX command can lead to denial-of-service

Yupeng Yang reports:

Authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process.


Discovery 2023-03-20
Entry 2023-03-21
redis
< 7.0.10

redis-devel
< 7.0.10.20230320

CVE-2023-28425
https://github.com/redis/redis/security/advisories/GHSA-mvmm-4vq6-vw8c
b17bce48-b7c6-11ed-b304-080027f5fec9redis -- multiple vulnerabilities

The Redis core team reports:

CVE-2023-25155
Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process.
CVE-2022-36021
String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time.

Discovery 2023-02-28
Entry 2023-03-01
redis
< 7.0.9

redis-devel
< 7.0.9.20230228

redis62
< 6.2.11

redis6
< 6.0.18

CVE-2023-25155
CVE-2022-36021
https://groups.google.com/g/redis-db/c/3hQ1oTO4hMI
0e254b4a-1f37-11ee-a475-080027f5fec9redis -- Heap overflow in the cjson and cmsgpack libraries

Redis core team reports:

A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution.


Discovery 2023-07-10
Entry 2023-07-10
redis
< 7.0.12

redis-devel
< 7.0.12.20230710

redis62
< 6.2.13

redis60
< 6.0.20

CVE-2022-24834
https://groups.google.com/g/redis-db/c/JDjKS0GubsQ
96b2d4db-ddd2-11ed-b6ea-080027f5fec9redis -- HINCRBYFLOAT can be used to crash a redis-server process

Redis core team reports:

Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that may later crash Redis on access.


Discovery 2023-04-17
Entry 2023-05-08
redis
< 7.0.11

redis62
< 6.2.12

redis6
< 6.0.19

CVE-2023-28856
https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6