From ca5144d81168d87fab1979214a78937adb3f9624 Mon Sep 17 00:00:00 2001 From: Nicolas Favre-Felix Date: Sun, 5 Feb 2023 10:36:03 -0800 Subject: [PATCH] Version 0.1.21 (security update) Security update, fixing vulnerabilities found in the Alpine Linux base image as well as the embedded Redis service and SSL libraries. Additionally and not related to security: fixed build issues with CentOS 7 = Security fixes = Urgency: HIGH Note for the list of vulnerabilities provided below: The "Impact" described only applies if the Webdis image is used without changes. If Webdis is used as a base image, please review whether the changes made to it can cause these vulnerabilities to become exploitable. == Critical severity == Description: Out-of-bounds Write in zlib (CVE-2022-37434) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-ZLIB-2976174 Origin: zlib/zlib@1.2.11-r3, from the base image Impact: Webdis uses zlib to support HTTP compression == High severity == Description: Loop with Unreachable Exit Condition ('Infinite Loop') Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2426333 Origin: openssl/libcrypto1.1 Impact: Webdis only uses TLS to connect to Redis Description: Execute arbitrary code via netstat (CVE-2022-28391) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-BUSYBOX-2440608 Origin: introduced by the base image, alpine:3.14.3 Impact: netstat is not used by Webdis Description: Arbitrary Code Injection in Redis (CVE-2022-24735) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805760 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redis Description: NULL Pointer Dereference in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314660 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: Double Free in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314657 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: Access of Resource Using Incompatible Type in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314651 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: Use After Free in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314650 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: NULL Pointer Dereference in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314647 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS == Medium severity == Description: NULL Pointer Dereference in Redis (CVE-2022-24736) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805761 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redis Description: Inadequate Encryption Strength in openssl (CVE-2022-2097) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2941807 Origin: openssl/openssl@1.1.1l-r0, openssl/libssl1.1@1.1.1l-r0 Impact: Webdis only uses TLS to connect to Redis == Low severity == Description: Integer Overflow or Wraparound in Redis (CVE-2022-35977) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243491 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redis Description: Integer Overflow or Wraparound in Redis (CVE-2023-22458) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243489 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redis --- src/version.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/version.h b/src/version.h index 5016b78..5713aeb 100644 --- a/src/version.h +++ b/src/version.h @@ -2,7 +2,7 @@ #define VERSION_H #ifndef WEBDIS_VERSION -#define WEBDIS_VERSION "0.1.21-dev" +#define WEBDIS_VERSION "0.1.21" #endif #endif /* VERSION_H */