SUSE-OU-2020:3291-1: moderate: Optional update for python-redis and redis

sle-updates at lists.suse.com sle-updates at lists.suse.com
Wed Nov 11 07:35:14 MST 2020


   SUSE Optional Update: Optional update for python-redis and redis
______________________________________________________________________________

Announcement ID:    SUSE-OU-2020:3291-1
Rating:             moderate
References:         #1002351 #1047218 #1061967 #1064980 #1097430 
                    #1131555 #798455 #835815 #991250 ECO-2417 
                    ECO-2867 SLE-11578 SLE-12821 
Affected Products:
                    SUSE Linux Enterprise Module for Server Applications 15-SP2
______________________________________________________________________________

   An update that solves 7 vulnerabilities, contains four
   features and has two fixes is now available.

Description:

   This optional update for python-redis and redis provides the following
   fixes

   python-redis:

   - Update to version to 3.4.1 (jsc#ECO-2417)
     * Move the username argument in the Redis and Connection classes to the
       end of the argument list. This helps those poor souls that specify all
       their connection options as non-keyword arguments.
     * Prior to ACL support, redis-py ignored the username component of
       Connection URLs. With ACL support, usernames are no longer ignored and
       are used to authenticate against an ACL rule. Some cloud vendors with
       managed Redis instances (like Heroku) provide connection URLs with a
       username component pre-ACL that is not intended to be used. Sending
       that username to Redis servers < 6.0.0 results in an error. Attempt to
       detect this condition and retry the AUTH command with only the
       password such that authentication continues to work for these users.
     * Removed the __eq__ hooks to Redis and ConnectionPool that were added
       in 3.4.0. This ended up being a bad idea as two separate connection
       pools be considered equal yet manage a completely separate set of
       connections.
     * Allow empty pipelines to be executed if there are WATCHed keys. This
       is a convenient way to test if any of the watched keys changed without
       actually running any other commands.
     * Removed support for end of life Python 3.4.
     * Added support for all ACL commands in Redis 6.
     * Pipeline instances now always evaluate to True. Prior to this change,
       pipeline instances relied on __len__ for boolean evaluation which
       meant that pipelines with no commands on the stack would be considered
       False.
     * Client instances and Connection pools now support a 'client_name'
       argument. If supplied, all connections created will call CLIENT
       SETNAME as soon as the connection is opened.
     * Added the 'ssl_check_hostname' argument to specify whether SSL
       connections should require the server hostname to match the hostname
       specified in the SSL cert. By default 'ssl_check_hostname' is False
       for backwards compatibility.
     * Added support for the TYPE argument to SCAN.
     * Better thread and fork safety in ConnectionPool and
       BlockingConnectionPool. Added better locking to synchronize critical
       sections rather than relying on CPython-specific implementation
       details relating to atomic operations. Adjusted how the pools identify
       and deal with a fork. Added a ChildDeadlockedError exception that is
       raised by child processes in the very unlikely chance that a deadlock
       is encountered.
     * Further fix for the SSLError -> TimeoutError mapping to work on
       obscure releases of Python 2.7.
     * Fixed a potential error handling bug for the SSLError -> TimeoutError
       mapping introduced in 3.3.9.
     * Mapped Python 2.7 SSLError to TimeoutError where appropriate. Timeouts
       should now consistently raise TimeoutErrors
       on Python 2.7 for both unsecured and secured connections.
     * Fixed MONITOR parsing to properly parse IPv6 client addresses
     * Fixed a regression introduced in 3.3.0
     * Resolve a race condition with the PubSubWorkerThread.
     * Response callbacks are now case insensitive.
     * Added support for hiredis-py 1.0.0 encoding error support.
     * Add READONLY and READWRITE commands.
     * Added extensive health checks that keep the connections lively.
     * Many more changes, see upstream changelog.
     * Add missing build dependency setuptools
     * Fix SentinelConnectionPool to work in multiprocess/forked environments

   - Update to 3.2.0 (bsc#1131555)
     * Added support for `select.poll` to test whether data can be read on a
       socket. This should allow for significantly more connections to be
       used with pubsub.
     * Attempt to guarentee that the ConnectionPool hands out healthy
       connections. Healthy connections are those that have an established
       socket connection to the Redis server, are ready to accept a command
       and have no data available to read.
     * Use the socket.IPPROTO_TCP constant instead of socket.SOL_TCP.
       IPPROTO_TCP is available on more interpreters (Jython for instance).
     * Fixed a regression introduced in 3.0 that mishandles exceptions not
       derived from the base Exception class. KeyboardInterrupt and
       gevent.timeout notable.
     * Significant improvements to handing connections with forked processes.
       Parent and child processes no longer trample on each others'
       connections.
     * PythonParser no longer closes the associated connection's socket. The
       connection itself will close the socket.
     * Connection URLs must have one of the following schemes: redis://,
       rediss://, unix://.
     * Fixed an issue with retry_on_timeout logic that caused some
       TimeoutErrors to be retried.
     * Added support for SNI for SSL.
     * Fixed ConnectionPool repr for pools with no connections.
     * Fixed GEOHASH to return a None value when specifying a place that
       doesn't exist on the server.
     * Fixed XREADGROUP to return an empty dictionary for messages that have
       been deleted but still exist in the unacknowledged queue.
     * Added an owned method to Lock objects. owned returns a boolean
       indicating whether the current lock instance still owns the lock.
     * Allow lock.acquire() to accept an optional token argument. If
       provided, the token argument is used as the unique value used to claim
       the lock.
     * Added a reacquire method to Lock objects. reaquire attempts to renew
       the lock such that the timeout is extended to the same value that the
       lock was initially acquired with.
     * Stream names found within XREAD and XREADGROUP responses now properly
       respect the decode_responses flag.
     * XPENDING_RANGE now requires the user the specify the min, max and
       count arguments. Newer versions of Redis prevent count from being
       infinite so it's left to the user to specify these values explicitly.
     * ZADD now returns None when xx=True and incr=True and an element is
       specified that doesn't exist in the sorted set. This matches what the
       server returns in this case.
     * Added client_kill_filter that accepts various filters to identify and
       kill clients.
     * Fixed a race condition that occurred when unsubscribing and
       resubscribing to the same channel or pattern in rapid succession.
     * Added a LockNotOwnedError that is raised when trying to extend or
       release a lock that is no longer owned. This is a subclass of
       LockError so previous code should continue to work as expected.
     * Fixed a bug in GEORADIUS that forced decoding of places without
       respecting the decode_responses option.
     * add recommendation for python-hiredis
     * Fixed regression with UnixDomainSocketConnection caused by 3.0.0.
     * Fixed an issue with the new asynchronous flag on flushdb and flushall.
     * Updated Lock.locked() method to indicate whether *any* process has
       acquired the lock, not just the current one. This is in line with the
       behavior of threading.Lock.

   - Update to version 3.0.0: BACKWARDS INCOMPATIBLE CHANGES
     * When using a Lock as a context manager and the lock fails to be
       acquired a LockError is now raised. This prevents the code block
       inside the context manager from being executed if the lock could not
       be acquired.
     * Renamed LuaLock to Lock.
     * Removed the pipeline based Lock implementation in favor of the LuaLock
       implementation.
     * Only bytes, strings and numbers (ints, longs and floats) are
       acceptable for keys and values. Previously redis-py attempted to cast
       other types to str() and store the result. This caused must confusion
       and frustration when passing boolean values (cast to 'True' and
       'False') or None values (cast to 'None'). It is now the user's
       responsibility to cast all key names and values to bytes, strings or
       numbers before passing the value to redis-py.
     * The StrictRedis class has been renamed to Redis. StrictRedis will
       continue to exist as an alias of Redis for the forseeable future.
     * The legacy Redis client class has been removed. It caused much
       confusion to users.
     * ZINCRBY arguments 'value' and 'amount' have swapped order to match the
       the Redis server. The new argument order is: keyname, amount, value.
     * MGET no longer raises an error if zero keys are passed in. Instead an
       empty list is returned.
     * MSET and MSETNX now require all keys/values to be specified in a
       single dictionary argument named mapping. This was changed to allow
       for future options to these commands in the future.
     * ZADD now requires all element names/scores be specified in a single
       dictionary argument named mapping. This was required to allow the NX,
       XX, CH and INCR options to be specified. OTHER CHANGES
     * Added missing DECRBY command.
     * CLUSTER INFO and CLUSTER NODES respones are now properly decoded to
       strings.
     * Added a 'locked()' method to Lock objects. This method returns True if
       the lock has been acquired and owned by the current process, otherwise
       False.
     * EXISTS now supports multiple keys. It's return value is now the number
       of keys in the list that exist.
     * Ensure all commands can accept key names as bytes. This fixes issues
       with BLPOP, BRPOP and SORT.
     * All errors resulting from bad user input are raised as DataError
       exceptions. DataError is a subclass of RedisError so this should be
       transparent to anyone previously catching these.
     * Added support for NX, XX, CH and INCR options to ZADD
     * Added support for the MIGRATE command
     * Added support for the MEMORY USAGE and MEMORY PURGE commands.
     * Added support for the 'asynchronous' argument to FLUSHDB and FLUSHALL
       commands.
     * Added support for the BITFIELD command.
     * Improved performance on pipeline requests with large chunks of data.
     * Fixed test suite to not fail if another client is connected to the
       server the tests are running against.
     * Added support for SWAPDB.
     * Added support for all STREAM commands.
     * SHUTDOWN now accepts the 'save' and 'nosave' arguments.
     * Added support for ZPOPMAX, ZPOPMIN, BZPOPMAX, BZPOPMIN.
     * Added support for the 'type' argument in CLIENT LIST.
     * Added support for CLIENT PAUSE.
     * Added support for CLIENT ID and CLIENT UNBLOCK.
     * GEODIST now returns a None value when referencing a place that does
       not exist.
     * Added a ping() method to pubsub objects.
     * Fixed a bug with keys in the INFO dict that contained ':' symbols.
     * ssl_cert_reqs now has a default value of 'required' by default. This
       should make connecting to a remote Redis server over SSL more secure.
     * max_connections is now a valid querystring argument for creating
       connection pools from URLs.
     * Added the UNLINK command.
     * Added socket_type option to Connection for configurability.
     * Lock.do_acquire now atomically sets acquires the lock and sets the
       expire value via set(nx=True, px=timeout).
     * Added 'count' argument to SPOP.
     * Fixed an issue parsing client_list respones that contained an '='.
     * Fix rounding issues with geolocation, it is not stable enought to
       produce pinpoint equal results among 32bit platforms
     * Run tests by launching redis server
     * Require redis on runtime

   redis:

   - Update to version 6.0.8 (jsc#PM-1615, jsc#PM-1622, jsc#PM-1681,
     jsc#ECO-2867, jsc#PM-1547, jsc#CAPS-56, jsc#SLE-11578, jsc#SLE-12821)
     * bug fixes when using with Sentinel
     * bug fixes when using CONFIG REWRITE
     * Remove THP warning when set to madvise
     * Allow EXEC with read commands on readonly replica in cluster
     * Add masters/replicas options to redis-cli --cluster call command
     * CONFIG SET could hung the client when arrives during RDB/ROF loading
     * LPOS command when RANK is greater than matches responded with broken
       protocol
     * Add oom-score-adj configuration option to control Linux OOM killer
     * Show IO threads statistics and status in INFO output
     * Add optional tls verification mode (see tls-auth-clients)
     * Fix crash when enabling CLIENT TRACKING with prefix
     * EXEC always fails with EXECABORT and multi-state is cleared
     * RESTORE ABSTTL won't store expired keys into the db
     * redis-cli better handling of non-pritable key names
     * TLS: Ignore client cert when tls-auth-clients off
     * Tracking: fix invalidation message on flush
     * Notify systemd on Sentinel startup
     * Fix crash on a misuse of STRALGO
     * Fix a few rare leaks (STRALGO error misuse, Sentinel)
     * Fix a possible invalid access in defrag of scripts
     * Add LPOS command to search in a list
     * Use user+pass for MIGRATE in redis-cli and redis-benchmark in cluster
       mode
     * redis-cli support TLS for --pipe, --rdb and --replica options
     * TLS: Session caching configuration support
     * Fix handling of speical chars in ACL LOAD
     * Make Redis Cluster more robust about operation errors that may lead to
       two clusters to mix together
     * Revert the sendfile() implementation of RDB transfer
     * Fix TLS certificate loading for chained certificates
     * Fix AOF rewirting of KEEPTTL SET option
     * Fix MULTI/EXEC behavior during -BUSY script errors
     * fix a severe replication bug introduced in Redis 6 by the "meaningful
       offset" feature
     * fix a crash introduced in 6.0.2
     * fix to client side caching when keys are evicted from the tracking
       table but no notifications are sent
     * add BR pkgconfig(libsystemd) for the rewritten systemd support and
       force building with it
     * XCLAIM AOF/replicas propagation fixed.
     * Client side caching: new NOLOOP option to avoid getting notified about
       changes performed by ourselves.
     * ACL GENPASS now uses HMAC-SHA256 and have an optional "bits"
       argument.  It means you can use it as a general purpose "secure random
       strings" primitive!
     * Cluster "SLOTS" subcommand memory optimization.
     * The LCS command is now a subcommand of STRALGO.
     * Meaningful offset for replicas as well. More successful partial
       resynchronizations.
     * Optimize memory usage of deferred replies.
     * Faster CRC64 algorithm for faster RDB loading.
     * XINFO STREAM FULL, a new subcommand to get the whole stream state.
     * CLIENT KILL USER <username>.
     * MIGRATE AUTH2 option, for ACL style authentication support.
     * use libatomic also on ppc
     * add hash file from redis-hashes and verify it during build


Patch Instructions:

   To install this SUSE Optional Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Server Applications 15-SP2:

      zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-3291=1



Package List:

   - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64):

      redis-6.0.8-1.3.1
      redis-debuginfo-6.0.8-1.3.1
      redis-debugsource-6.0.8-1.3.1


References:

   https://www.suse.com/security/cve/CVE-2013-7458.html
   https://www.suse.com/security/cve/CVE-2015-8080.html
   https://www.suse.com/security/cve/CVE-2016-10517.html
   https://www.suse.com/security/cve/CVE-2016-8339.html
   https://www.suse.com/security/cve/CVE-2017-15047.html
   https://www.suse.com/security/cve/CVE-2018-11218.html
   https://www.suse.com/security/cve/CVE-2018-11219.html
   https://bugzilla.suse.com/1002351
   https://bugzilla.suse.com/1047218
   https://bugzilla.suse.com/1061967
   https://bugzilla.suse.com/1064980
   https://bugzilla.suse.com/1097430
   https://bugzilla.suse.com/1131555
   https://bugzilla.suse.com/798455
   https://bugzilla.suse.com/835815
   https://bugzilla.suse.com/991250



More information about the sle-updates mailing list