An update for the redis:6 module is now available for Red Hat Enterprise Linux
 8.

Red Hat Product Security has rated this update as having a security impact of
 Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Redis is an advanced key-value store. It is often referred to as a
 data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.

Security Fix(es):

* redis: Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands may
 lead to denial-of-service (CVE-2023-22458)

* redis: Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands may
 result with false OOM panic (CVE-2022-35977)

* redis: Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands
 can trigger an integer overflow (CVE-2022-36021)

* redis: String matching commands (like SCAN or KEYS) with a specially crafted
 pattern to trigger a denial-of-service attack (CVE-2023-25155)

* redis: Insufficient validation of HINCRBYFLOAT command (CVE-2023-28856)

* redis: heap overflow in the lua cjson and cmsgpack libraries (CVE-2022-24834)

* redis: possible bypass of Unix socket permissions on startup (CVE-2023-45145)

* redis: Lua library commands may lead to stack overflow and RCE in Redis
 (CVE-2024-31449)

* redis: Denial-of-service due to unbounded pattern matching in Redis
 (CVE-2024-31228)

* redis: Redis' Lua library commands may lead to remote code execution
 (CVE-2024-46981)

For more details about the security issue(s), including the impact, a CVSS
 score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2022-24834: Integer Overflow to Buffer Overflow (CWE-680)
CVE-2022-35977: Integer Overflow or Wraparound (CWE-190)
CVE-2022-36021: Inefficient Algorithmic Complexity (CWE-407)
CVE-2023-22458: Integer Overflow or Wraparound (CWE-190)
CVE-2023-25155: Integer Overflow or Wraparound (CWE-190)
CVE-2023-28856: Improper Input Validation (CWE-20)
CVE-2023-45145: Improper Privilege Management (CWE-269)
CVE-2024-31228: Uncontrolled Recursion (CWE-674)
CVE-2024-31449: Improper Input Validation (CWE-20)
CVE-2024-46981: Use After Free (CWE-416)