Version 0.1.21 (security update)
Security update, fixing vulnerabilities found in the Alpine Linux base
image as well as the embedded Redis service and SSL libraries.
Additionally and not related to security: fixed build issues with
CentOS 7
= Security fixes =
Urgency: HIGH
Note for the list of vulnerabilities provided below:
The "Impact" described only applies if the Webdis image is used
without changes. If Webdis is used as a base image, please review
whether the changes made to it can cause these vulnerabilities to
become exploitable.
== Critical severity ==
Description: Out-of-bounds Write in zlib (CVE-2022-37434)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-ZLIB-2976174
Origin: zlib/zlib@1.2.11-r3, from the base image
Impact: Webdis uses zlib to support HTTP compression
== High severity ==
Description: Loop with Unreachable Exit Condition ('Infinite Loop')
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2426333
Origin: openssl/libcrypto1.1
Impact: Webdis only uses TLS to connect to Redis
Description: Execute arbitrary code via netstat (CVE-2022-28391)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-BUSYBOX-2440608
Origin: introduced by the base image, alpine:3.14.3
Impact: netstat is not used by Webdis
Description: Arbitrary Code Injection in Redis (CVE-2022-24735)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805760
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis
Description: NULL Pointer Dereference in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314660
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS
Description: Double Free in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314657
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS
Description: Access of Resource Using Incompatible Type in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314651
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS
Description: Use After Free in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314650
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS
Description: NULL Pointer Dereference in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314647
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS
== Medium severity ==
Description: NULL Pointer Dereference in Redis (CVE-2022-24736)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805761
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis
Description: Inadequate Encryption Strength in openssl (CVE-2022-2097)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2941807
Origin: openssl/openssl@1.1.1l-r0, openssl/libssl1.1@1.1.1l-r0
Impact: Webdis only uses TLS to connect to Redis
== Low severity ==
Description: Integer Overflow or Wraparound in Redis (CVE-2022-35977)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243491
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis
Description: Integer Overflow or Wraparound in Redis (CVE-2023-22458)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243489
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis