Tags: nicolasff/webdis
Tags
Release 0.1.22 (includes security update)
New feature: added support for TCP keep-alive on connections to Redis.
Bugfix: TRACE logs were not correctly identified as such in the logs,
they should now appear with a T prefix.
Security: this is also a security update, fixing vulnerabilities found
in the OpenSSL library, installed from Alpine Linux packages (Alpine
Linus provides the base image for Webdis).
Impact: Webdis can connect to external Webdis instances over TLS.
By default, it does not use TLS to connect to Redis, but interfaces
with Redis over a local connection within the Docker container.
Please review whether these OpenSSL vulnerabilities affect your
deployment. If you do not use TLS to connect to Redis, then you should
not be affected.
openssl 3.0.8-r1 - 1 HIGH, 6 MEDIUM
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.17
* HIGH CVE-2023-2650
https://scout.docker.com/v/CVE-2023-2650
Affected range : <3.0.9-r0
Fixed version : 3.0.9-r0
* MEDIUM CVE-2023-1255
https://scout.docker.com/v/CVE-2023-1255
Affected range : <3.0.8-r4
Fixed version : 3.0.8-r4
* MEDIUM CVE-2023-3817
https://scout.docker.com/v/CVE-2023-3817
Affected range : <3.0.10-r0
Fixed version : 3.0.10-r0
* MEDIUM CVE-2023-3446
https://scout.docker.com/v/CVE-2023-3446
Affected range : <3.0.9-r3
Fixed version : 3.0.9-r3
* MEDIUM CVE-2023-2975
https://scout.docker.com/v/CVE-2023-2975
Affected range : <3.0.9-r2
Fixed version : 3.0.9-r2
* MEDIUM CVE-2023-0466
https://scout.docker.com/v/CVE-2023-0466
Affected range : <3.0.8-r3
Fixed version : 3.0.8-r3
* MEDIUM CVE-2023-0465
https://scout.docker.com/v/CVE-2023-0465
Affected range : <3.0.8-r2
Fixed version : 3.0.8-r2
openssl1.1-compat 1.1.1t-r1 -- 2 MEDIUM
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.17
* MEDIUM CVE-2023-3446
https://scout.docker.com/v/CVE-2023-3446
Affected range : <1.1.1u-r1
Fixed version : 1.1.1u-r1
* MEDIUM CVE-2023-0465
https://scout.docker.com/v/CVE-2023-0465
Affected range : <1.1.1t-r2
Fixed version : 1.1.1t-r2
Version 0.1.21 (security update) Security update, fixing vulnerabilities found in the Alpine Linux base image as well as the embedded Redis service and SSL libraries. Additionally and not related to security: fixed build issues with CentOS 7 = Security fixes = Urgency: HIGH Note for the list of vulnerabilities provided below: The "Impact" described only applies if the Webdis image is used without changes. If Webdis is used as a base image, please review whether the changes made to it can cause these vulnerabilities to become exploitable. == Critical severity == Description: Out-of-bounds Write in zlib (CVE-2022-37434) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-ZLIB-2976174 Origin: zlib/[email protected], from the base image Impact: Webdis uses zlib to support HTTP compression == High severity == Description: Loop with Unreachable Exit Condition ('Infinite Loop') Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2426333 Origin: openssl/libcrypto1.1 Impact: Webdis only uses TLS to connect to Redis Description: Execute arbitrary code via netstat (CVE-2022-28391) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-BUSYBOX-2440608 Origin: introduced by the base image, alpine:3.14.3 Impact: netstat is not used by Webdis Description: Arbitrary Code Injection in Redis (CVE-2022-24735) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805760 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redis Description: NULL Pointer Dereference in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314660 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: Double Free in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314657 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: Access of Resource Using Incompatible Type in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314651 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: Use After Free in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314650 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS Description: NULL Pointer Dereference in LibSSL3 Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314647 Origin: introduced by libssl3, a dependency of Redis Impact: Webdis connects to its internal Webdis instance over TLS == Medium severity == Description: NULL Pointer Dereference in Redis (CVE-2022-24736) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805761 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redis Description: Inadequate Encryption Strength in openssl (CVE-2022-2097) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2941807 Origin: openssl/[email protected], openssl/[email protected] Impact: Webdis only uses TLS to connect to Redis == Low severity == Description: Integer Overflow or Wraparound in Redis (CVE-2022-35977) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243491 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redis Description: Integer Overflow or Wraparound in Redis (CVE-2023-22458) Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243489 Origin: introduced by the embedded Redis service, version 6.2.6 Impact: Webdis embeds this vulnerable version of Redis
Release 0.1.18 New feature: support for SSL connections to Redis. Webdis can now connect securely to Redis, thanks to the Hiredis client library. Docker images for Webdis will now contain two binaries, "webdis" and "webdis-ssl", the latter depending on OpenSSL. See Webdis README for details: https://github.com/nicolasff/webdis#configuring-webdis-with-ssl
Release 0.1.17.1 (Fixes Redis vulnerabilities) Security update: upgrading the version of Redis bundled in the Webdis image to fix a number of severe vulnerabilities. * Low severity vulnerability found in redis/redis Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727801 Introduced through: redis/[email protected] From: redis/[email protected] Fixed in: 6.2.6-r0 * Medium severity vulnerability found in redis/redis Description: Out-of-bounds Read Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727803 Introduced through: redis/[email protected] From: redis/[email protected] Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: Allocation of Resources Without Limits or Throttling Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727783 Introduced through: redis/[email protected] From: redis/[email protected] Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: CVE-2021-32626 Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727820 Introduced through: redis/[email protected] From: redis/[email protected] Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727822 Introduced through: redis/[email protected] From: redis/[email protected] Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727823 Introduced through: redis/[email protected] From: redis/[email protected] Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727825 Introduced through: redis/[email protected] From: redis/[email protected] Fixed in: 6.2.6-r0 * High severity vulnerability found in redis/redis Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727826 Introduced through: redis/[email protected] From: redis/[email protected] Fixed in: 6.2.6-r0
Release 0.1.17 * Many improvements to WebSocket implementation (#198, #199). WebSocket support is now much more stable, and better tested. The feature is still disabled by default, but is recommended for testing. * Base image updated from Alpine 3.12.7 to 3.14.2 to resolve vulnerabilities found in Alpine. Webdis itself is not at risk, but images *based* on Webdis could be using vulnerable software if they use packages from Alpine 3.12.7.
Release 0.1.16 * Only process `Connection: close` header if full request was read (#194). This likely fixes the same issue also reported in #145. * Fix small memory leak when the `type` query string parameter is used; the value was not being freed leading to growing memory usage of a few bytes per request. Upgrading is recommended if you use this feature. * Fix invalid call to `ioctl`, which did not seem to affect Linux systems but could have had an impact on macOS (found in #197).
Release 0.1.15 * Fixed compilation warnings * Fixed code quality issues found by CodeQL * Upgraded base image from alpine:3.12.6 to alpine:3.12.7 See CWE-125 and CVE-2021-30139). This is *not* a security issue if you just use the webdis image to run the service, but could be if you're building a new Docker image using webdis as a base image.
PreviousNext