A flaw was found in Redis before 5.0. A type confusion in the xgroupCommand function in t_stream.c in redis-server allows remote attackers to cause denial-of-service via an XGROUP command in which the key is not a stream. References: https://gist.github.com/fakhrizulkifli/34a56d575030682f6c564553c53b82b5 https://github.com/antirez/redis/commit/c04082cf138f1f51cedf05ee9ad36fb6763cafc6
Created redis tracking bugs for this issue: Affects: epel-all [bug 1592893] Affects: fedora-all [bug 1592895]
The Streams implementation was first committed in 5.0-rc1: https://github.com/antirez/redis/tree/5.0-rc1/src This fix is for 5.0-rc3. The flawed code is not in earlier versions; openstack uses at the latest, redis-3.2.8-2.el7ost Setting all openstack to notaffected.
This code (t_stream.c) is part of the not-yet-released-upstream redis-5 series - its still in beta upstream, is not released, and is not in any Red Hat product.