Bug 2223393 (CVE-2021-31294) - CVE-2021-31294 redis: an assertion failure in a primary server by sending a non-administrative command
Summary: CVE-2021-31294 redis: an assertion failure in a primary server by sending a n...
Keywords:
Status: NEW
Alias: CVE-2021-31294
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2223397 2223537 2223399 2223501 2223502 2223503 2223504 2223505 2223536
Blocks: 2223398
TreeView+ depends on / blocked
 
Reported: 2023-07-17 15:14 UTC by Marian Rehak
Modified: 2024-03-18 13:29 UTC (History)
83 users (show)

Fixed In Version: redis 6.2.x, redis 7.x
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Redis package. If a replica sends a SET command to its master during a failover, the master crashes on assertion.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2023-07-17 15:14:03 UTC 
Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this.

Reference:

https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48
https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f
https://github.com/redis/redis/issues/8712
Comment 1 Marian Rehak 2023-07-17 15:19:00 UTC 
Created redis tracking bugs for this issue:

Affects: epel-all [bug 2223397]
Note You need to log in before you can comment on or make changes to this bug.