Argo-cd: Update redis version

Created on 4 Nov 2020  路  1Comment  路  Source: argoproj/argo-cd

Checklist:

  • [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • [x] I've included steps to reproduce the bug.
  • [ ] I've pasted the output of argocd version.

Describe the bug

Currently, the version of redis (5.0.8) contains a vulnerability CVE-2020-14147 with a score of 7.7. Please update the redis version to 6.0.9

To Reproduce

No steps

Expected behavior

To update redis

bug security
Source
picture dimitarKiryakov

Most helpful comment

Hey, thanks for reporting this.

I have had a quick look, but it seems that a fix for this issue was backported to the 5.x branch and is actually included with the 5.0.8 release of redis that we are using. According to CVE-2020-14147, the issue is a regression of CVE-2015-8080, and from the release 5.0.8 changelog it states the following:

Seunghoon Woo in commit 16b2d07f:
 [FIX] revisit CVE-2015-8080 vulnerability
 1 file changed, 6 insertions(+), 4 deletions(-)

While I have had a look at the Changelog, I noticed that there was another security issue fixed with the 5.0 release that I'm currently verifying. It affects only certain platforms with certain malloc implementations. It has no CVE assigned yet afaik.

Anyhow, I think instead of upgrading to 6.x branch, an upgrade to 5.0.10 might be the less intrusive way.

picture jannfis on 4 Nov 2020
👍2

>All comments

Hey, thanks for reporting this.

I have had a quick look, but it seems that a fix for this issue was backported to the 5.x branch and is actually included with the 5.0.8 release of redis that we are using. According to CVE-2020-14147, the issue is a regression of CVE-2015-8080, and from the release 5.0.8 changelog it states the following:

Seunghoon Woo in commit 16b2d07f:
 [FIX] revisit CVE-2015-8080 vulnerability
 1 file changed, 6 insertions(+), 4 deletions(-)

While I have had a look at the Changelog, I noticed that there was another security issue fixed with the 5.0 release that I'm currently verifying. It affects only certain platforms with certain malloc implementations. It has no CVE assigned yet afaik.

Anyhow, I think instead of upgrading to 6.x branch, an upgrade to 5.0.10 might be the less intrusive way.

jannfis picture jannfis on 4 Nov 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

guilhermeoki picture guilhermeoki  路  25Comments
eroji picture eroji  路  24Comments
toolbar23 picture toolbar23  路  22Comments
jeremyhermann picture jeremyhermann  路  24Comments
afanrasool picture afanrasool  路  26Comments