From 942be1fd5499a249ff2f5e8557fe03bafa473351 Mon Sep 17 00:00:00 2001 From: Nicolas Favre-Felix Date: Wed, 6 Oct 2021 07:34:34 -0700 Subject: [PATCH] Release 0.1.17.1 (Fixes Redis vulnerabilities) Security update: upgrading the version of Redis bundled in the Webdis image to fix a number of severe vulnerabilities. * Low severity vulnerability found in redis/redis Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727801 Introduced through: redis/redis@6.2.5-r0 From: redis/redis@6.2.5-r0 Fixed in: 6.2.6-r0 * Medium severity vulnerability found in redis/redis Description: Out-of-bounds Read Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727803 Introduced through: redis/redis@6.2.5-r0 From: redis/redis@6.2.5-r0 Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: Allocation of Resources Without Limits or Throttling Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727783 Introduced through: redis/redis@6.2.5-r0 From: redis/redis@6.2.5-r0 Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: CVE-2021-32626 Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727820 Introduced through: redis/redis@6.2.5-r0 From: redis/redis@6.2.5-r0 Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727822 Introduced through: redis/redis@6.2.5-r0 From: redis/redis@6.2.5-r0 Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727823 Introduced through: redis/redis@6.2.5-r0 From: redis/redis@6.2.5-r0 Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727825 Introduced through: redis/redis@6.2.5-r0 From: redis/redis@6.2.5-r0 Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727826 Introduced through: redis/redis@6.2.5-r0 From: redis/redis@6.2.5-r0 Fixed in: 6.2.6-r0 --- Dockerfile | 3 ++- src/version.h | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b265d96..e1234e8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,8 @@ RUN sed -i -e 's/"daemonize":.*true,/"daemonize": false,/g' /etc/webdis.prod.jso # main image FROM alpine:3.14.2 # Required dependencies, with versions fixing known security vulnerabilities -RUN apk update && apk add libevent msgpack-c 'redis>5.1' 'apk-tools>2.12.6-r0' +# RUN apk update && apk add libevent msgpack-c 'redis>5.1' 'apk-tools>2.12.6-r0' +RUN apk update && apk add libevent msgpack-c 'redis>6.2.6' 'apk-tools>2.12.6-r0' COPY --from=stage /usr/local/bin/webdis /usr/local/bin/ COPY --from=stage /etc/webdis.prod.json /etc/webdis.prod.json RUN echo "daemonize yes" >> /etc/redis.conf diff --git a/src/version.h b/src/version.h index 1e95efb..ce212a8 100644 --- a/src/version.h +++ b/src/version.h @@ -2,7 +2,7 @@ #define VERSION_H #ifndef WEBDIS_VERSION -#define WEBDIS_VERSION "0.1.18-dev" +#define WEBDIS_VERSION "0.1.17.1" #endif #endif /* VERSION_H */