Heap buffer overflow with corrupted hyperloglog data structure. By carefully corrupting a hyperloglog structure in redis using the SETRANGE command, an attacker could trick redis' interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer. Upstream patches: https://github.com/antirez/redis/commit/e216ceaf0e099536fe3658a29dcb725d812364e0 https://github.com/antirez/redis/commit/9f13b2bd4967334b1701c6eccdf53760cb13f79e
Created redis tracking bugs for this issue: Affects: openstack-rdo [bug 1727720]
Upstream timeline: https://github.com/antirez/redis/issues/6215
External References: https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES
Statement: * This issue did not affect the version of grafana(embeds redis) as shipped with Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 as it only ships client side part of redis implementation. * This issue did not affect the version of heketi(embeds redis) as shipped with Red Hat Gluster Storage 3 as it only ships client side part of redis implementation.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1819 https://access.redhat.com/errata/RHSA-2019:1819
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10192
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:1860 https://access.redhat.com/errata/RHSA-2019:1860
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2002 https://access.redhat.com/errata/RHSA-2019:2002
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 Operational Tools for RHEL 7 Via RHSA-2019:2506 https://access.redhat.com/errata/RHSA-2019:2506
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2019:2508 https://access.redhat.com/errata/RHSA-2019:2508
This issue has been addressed in the following products: Red Hat OpenStack Platform 14.0 (Rocky) Via RHSA-2019:2621 https://access.redhat.com/errata/RHSA-2019:2621
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2019:2630 https://access.redhat.com/errata/RHSA-2019:2630
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2019:2628 https://access.redhat.com/errata/RHSA-2019:2628