Tags

tag package webdis version 0.1.22+ds-1

Upstream version 0.1.22+ds

tag package webdis version 0.1.9+dfsg-3

tag package webdis version 0.1.9+dfsg-2

Release 0.1.22 (includes security update)

New feature: added support for TCP keep-alive on connections to Redis.

Bugfix: TRACE logs were not correctly identified as such in the logs,
        they should now appear with a T prefix.

Security: this is also a security update, fixing vulnerabilities found
in the OpenSSL library, installed from Alpine Linux packages (Alpine
Linus provides the base image for Webdis).

Impact: Webdis can connect to external Webdis instances over TLS.
By default, it does not use TLS to connect to Redis, but interfaces
with Redis over a local connection within the Docker container.
Please review whether these OpenSSL vulnerabilities affect your
deployment. If you do not use TLS to connect to Redis, then you should
not be affected.

openssl 3.0.8-r1 - 1 HIGH, 6 MEDIUM
pkg:apk/alpine/openssl@3.0.8-r1?os_name=alpine&os_version=3.17

    * HIGH CVE-2023-2650
      https://scout.docker.com/v/CVE-2023-2650
      Affected range : <3.0.9-r0
      Fixed version  : 3.0.9-r0

    * MEDIUM CVE-2023-1255
      https://scout.docker.com/v/CVE-2023-1255
      Affected range : <3.0.8-r4
      Fixed version  : 3.0.8-r4

    * MEDIUM CVE-2023-3817
      https://scout.docker.com/v/CVE-2023-3817
      Affected range : <3.0.10-r0
      Fixed version  : 3.0.10-r0

    * MEDIUM CVE-2023-3446
      https://scout.docker.com/v/CVE-2023-3446
      Affected range : <3.0.9-r3
      Fixed version  : 3.0.9-r3

    * MEDIUM CVE-2023-2975
      https://scout.docker.com/v/CVE-2023-2975
      Affected range : <3.0.9-r2
      Fixed version  : 3.0.9-r2

    * MEDIUM CVE-2023-0466
      https://scout.docker.com/v/CVE-2023-0466
      Affected range : <3.0.8-r3
      Fixed version  : 3.0.8-r3

    * MEDIUM CVE-2023-0465
      https://scout.docker.com/v/CVE-2023-0465
      Affected range : <3.0.8-r2
      Fixed version  : 3.0.8-r2

openssl1.1-compat 1.1.1t-r1 -- 2 MEDIUM
pkg:apk/alpine/openssl1.1-compat@1.1.1t-r1?os_name=alpine&os_version=3.17

    * MEDIUM CVE-2023-3446
      https://scout.docker.com/v/CVE-2023-3446
      Affected range : <1.1.1u-r1
      Fixed version  : 1.1.1u-r1

    * MEDIUM CVE-2023-0465
      https://scout.docker.com/v/CVE-2023-0465
      Affected range : <1.1.1t-r2
      Fixed version  : 1.1.1t-r2

Version 0.1.21 (security update)

Security update, fixing vulnerabilities found in the Alpine Linux base
image as well as the embedded Redis service and SSL libraries.

Additionally and not related to security: fixed build issues with
CentOS 7

= Security fixes =

Urgency: HIGH

Note for the list of vulnerabilities provided below:
The "Impact" described only applies if the Webdis image is used
without changes. If Webdis is used as a base image, please review
whether the changes made to it can cause these vulnerabilities to
become exploitable.

== Critical severity ==

Description: Out-of-bounds Write in zlib (CVE-2022-37434)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-ZLIB-2976174
Origin: zlib/zlib@1.2.11-r3, from the base image
Impact: Webdis uses zlib to support HTTP compression

== High severity ==

Description: Loop with Unreachable Exit Condition ('Infinite Loop')
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2426333
Origin: openssl/libcrypto1.1
Impact: Webdis only uses TLS to connect to Redis

Description: Execute arbitrary code via netstat (CVE-2022-28391)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-BUSYBOX-2440608
Origin: introduced by the base image, alpine:3.14.3
Impact: netstat is not used by Webdis

Description: Arbitrary Code Injection in Redis (CVE-2022-24735)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805760
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis

Description: NULL Pointer Dereference in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314660
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS

Description: Double Free in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314657
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS

Description: Access of Resource Using Incompatible Type in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314651
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS

Description: Use After Free in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314650
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS

Description: NULL Pointer Dereference in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314647
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS

== Medium severity ==

Description: NULL Pointer Dereference in Redis (CVE-2022-24736)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805761
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis

Description: Inadequate Encryption Strength in openssl (CVE-2022-2097)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2941807
Origin: openssl/openssl@1.1.1l-r0, openssl/libssl1.1@1.1.1l-r0
Impact: Webdis only uses TLS to connect to Redis

== Low severity ==

Description: Integer Overflow or Wraparound in Redis (CVE-2022-35977)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243491
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis

Description: Integer Overflow or Wraparound in Redis (CVE-2023-22458)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243489
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis

Version 0.1.20

- Smaller Docker image size
- Bugfix: avoid responding to the wrong client (this could happen in rare cases)
- Better handling of WebSocket frames (details in #212)
- Fix regression introduced in 0.1.19, causing an empty header to be sent (#217)

Release 0.1.19

- Performance: avoid redundant operations when building HTTP responses.
- Fix HTTP parser bug on architectures that used unsigned "char" types.
- Fix crash when receiving "FIN" WebSocket frame (#209).

Release 0.1.18

New feature: support for SSL connections to Redis.

Webdis can now connect securely to Redis, thanks to the Hiredis
client library. Docker images for Webdis will now contain two binaries,
"webdis" and "webdis-ssl", the latter depending on OpenSSL.

See Webdis README for details: https://github.com/nicolasff/webdis#configuring-webdis-with-ssl

Release 0.1.17.1 (Fixes Redis vulnerabilities)

Security update: upgrading the version of Redis bundled in
the Webdis image to fix a number of severe vulnerabilities.

* Low severity vulnerability found in redis/redis
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727801
  Introduced through: redis/redis@6.2.5-r0
  From: redis/redis@6.2.5-r0
  Fixed in: 6.2.6-r0

* Medium severity vulnerability found in redis/redis
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727803
  Introduced through: redis/redis@6.2.5-r0
  From: redis/redis@6.2.5-r0
  Fixed in: 6.2.6-r0

* High severity vulnerability found in redis/redis
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727783
  Introduced through: redis/redis@6.2.5-r0
  From: redis/redis@6.2.5-r0
  Fixed in: 6.2.6-r0

* High severity vulnerability found in redis/redis
  Description: CVE-2021-32626
  Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727820
  Introduced through: redis/redis@6.2.5-r0
  From: redis/redis@6.2.5-r0
  Fixed in: 6.2.6-r0

* High severity vulnerability found in redis/redis
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727822
  Introduced through: redis/redis@6.2.5-r0
  From: redis/redis@6.2.5-r0
  Fixed in: 6.2.6-r0

* High severity vulnerability found in redis/redis
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727823
  Introduced through: redis/redis@6.2.5-r0
  From: redis/redis@6.2.5-r0
  Fixed in: 6.2.6-r0

* High severity vulnerability found in redis/redis
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727825
  Introduced through: redis/redis@6.2.5-r0
  From: redis/redis@6.2.5-r0
  Fixed in: 6.2.6-r0

* High severity vulnerability found in redis/redis
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727826
  Introduced through: redis/redis@6.2.5-r0
  From: redis/redis@6.2.5-r0
  Fixed in: 6.2.6-r0

Release 0.1.17

* Many improvements to WebSocket implementation (#198, #199). WebSocket
  support is now much more stable, and better tested. The feature is
  still disabled by default, but is recommended for testing.
* Base image updated from Alpine 3.12.7 to 3.14.2 to resolve
  vulnerabilities found in Alpine. Webdis itself is not at risk, but
  images *based* on Webdis could be using vulnerable software if they
  use packages from Alpine 3.12.7.

Release 0.1.16

* Only process `Connection: close` header if full request was read
  (#194). This likely fixes the same issue also reported in #145.
* Fix small memory leak when the `type` query string parameter is
  used; the value was not being freed leading to growing memory usage
  of a few bytes per request. Upgrading is recommended if you use this
  feature.
* Fix invalid call to `ioctl`, which did not seem to affect Linux
  systems but could have had an impact on macOS (found in #197).

Release 0.1.15

* Fixed compilation warnings
* Fixed code quality issues found by CodeQL
* Upgraded base image from alpine:3.12.6 to alpine:3.12.7
  See CWE-125 and CVE-2021-30139). This is *not* a security issue if
  you just use the webdis image to run the service, but could be if
  you're building a new Docker image using webdis as a base image.

Release 0.1.14

* Fixed compilation warnings
* Fsync frequency for log file is now configurable
* Added support for REPLY_STATUS in nested JSON objects (helps with
  RediSearch)

Release 0.1.13

Release 0.1.12

webdis Debian release 0.1.9+dfsg-1

Upstream version 0.1.9+dfsg

tagging package webdis version debian/0.1.4+dfsg-2

webdis Debian release 0.1.4+dfsg-1