Version 0.1.21 (security update)
Security update, fixing vulnerabilities found in the Alpine Linux base image as well as the embedded Redis service and SSL libraries. Additionally and not related to security: fixed build issues with CentOS 7 = Security fixes = Urgency: HIGH Note for the list of vulnerabilities provided below: The "Impact" described only applies if the Webdis image is used without changes. If Webdis is used as a base image, please review whether the changes made to it can cause these vulnerabilities to become exploitable. == Critical severity == Description: Out-of-bounds Write in zlib (CVE-2022-37434) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-ZLIB-2976174 Origin: zlib/zlib@1.2.11-r3, from the base image Impact: Webdis uses zlib to support HTTP compression == High severity == Description: Loop with Unreachable Exit Condition ('Infinite Loop') Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2426333 Origin: openssl/libcrypto1.1 Impact: Webdis only uses TLS to connect to Redis Description: Execute arbitrary code via netstat (CVE-2022-28391) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-BUSYBOX-2440608 Origin: introduced by the base image, alpine:3.14.3 Impact: netstat is not used by Webdis Description: Arbitrary Code Injection in Redis (CVE-2022-24735) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805760 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redis Description: NULL Pointer Dereference in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314660 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: Double Free in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314657 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: Access of Resource Using Incompatible Type in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314651 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: Use After Free in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314650 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: NULL Pointer Dereference in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314647 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS == Medium severity == Description: NULL Pointer Dereference in Redis (CVE-2022-24736) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805761 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redis Description: Inadequate Encryption Strength in openssl (CVE-2022-2097) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2941807 Origin: openssl/openssl@1.1.1l-r0, openssl/libssl1.1@1.1.1l-r0 Impact: Webdis only uses TLS to connect to Redis == Low severity == Description: Integer Overflow or Wraparound in Redis (CVE-2022-35977) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243491 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redis Description: Integer Overflow or Wraparound in Redis (CVE-2023-22458) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243489 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redismaster
parent
1b63174d5d
commit
ca5144d811
Loading…
Reference in New Issue