ASA-202106-12 log original external raw

[ASA-202106-12] redis: arbitrary code execution
Arch Linux Security Advisory ASA-202106-12 ========================================== Severity: High Date : 2021-06-01 CVE-ID : CVE-2021-32625 Package : redis Type : arbitrary code execution Remote : Yes Link : Summary ======= The package redis before version 6.2.4-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 6.2.4-1. # pacman -Syu "redis>=6.2.4-1" The problem has been fixed upstream in version 6.2.4. Workaround ========== A workaround to mitigate the problem is to use an ACL configuration to prevent clients from using the STRALGO LCS command. On systems running Redis version 6.2.3, it is sufficient to make sure that the proto-max-bulk-len config parameter is smaller than 2GB (default is 512MB). Description =========== An integer overflow bug in Redis versions 6.0 up to 6.2.3 can be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. This is a result of an incomplete fix of CVE-2021-29477. Impact ====== A remote attacker could execute arbitrary code on the database server through a crafted STRALGO LCS command. References ==========