ALAS2023-2023-164

Amazon Linux 2023 Security Advisory: ALAS2023-2023-164
Advisory Released Date: 2023-05-03
Advisory Updated Date: 2023-05-03

Severity: Medium

References: CVE-2023-28425 CVE-2023-28856
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in Redis version 7.0.10. (CVE-2023-28425)

Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that may later crash Redis on access. (CVE-2023-28856)

Affected Packages:

redis6

Issue Correction:
Run dnf update redis6 --releasever 2023.0.20230503 to update your system.

New Packages:

aarch64:
    redis6-devel-6.2.12-1.amzn2023.0.1.aarch64
    redis6-debuginfo-6.2.12-1.amzn2023.0.1.aarch64
    redis6-6.2.12-1.amzn2023.0.1.aarch64
    redis6-debugsource-6.2.12-1.amzn2023.0.1.aarch64

noarch:
    redis6-doc-6.2.12-1.amzn2023.0.1.noarch

src:
    redis6-6.2.12-1.amzn2023.0.1.src

x86_64:
    redis6-debuginfo-6.2.12-1.amzn2023.0.1.x86_64
    redis6-devel-6.2.12-1.amzn2023.0.1.x86_64
    redis6-6.2.12-1.amzn2023.0.1.x86_64
    redis6-debugsource-6.2.12-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2023-28425, CVE-2023-28856

Mitre: CVE-2023-28425, CVE-2023-28856