linear[bot]
commented
1 year ago PRO-3392 [Vulnerabilities: A2] - Update -> apostrophe-caches-redis
**MS Defender ID: 982277** [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29469](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29469) [https://github.com/advisories/GHSA-35q2-47q7-3pc3](https://github.com/advisories/GHSA-35q2-47q7-3pc3) Security update has been released for redis to fix the vulnerability. When a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. We only have to update to the latest 3.x series. In Version 4, they changed how you connect to redis and it's complicated. **Action:** `apostrophe-caches-redis@2.1.4` using `redis@2.8.0` which has vulnerability but fixed in `redis@3.1.1`. So apos team needs to update `redis` in `apostrophe-caches-redis` This is an exponential backtracking risk if keys are constructed in a certain way. Apostrophe is not constructing keys in this way, but `redis` should still be updated. **Acceptance Criteria** * npm needs to pass with this dependency change. (You can easily test your work for this.) * the [redis 3.0](https://github.com/redis/node-redis/releases/tag/v3.0.0) release note needs to be read to ensure that there are no backwards compatibility breaks. OG Ticket: [https://gitlab-dcadcx.michelin.net/pa/apostrophe-enhancements/-/issues/1192](https://gitlab-dcadcx.michelin.net/pa/apostrophe-enhancements/-/issues/1192)
Security update has been released for redis to fix the vulnerability.
When a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service.
We only have to update to the latest 3.x series. In Version 4, they changed how you connect to redis and it's complicated.
Action: apostrophe-caches-redis@2.1.4 using redis@2.8.0 which has vulnerability but fixed in redis@3.1.1. So apos team needs to update redis in apostrophe-caches-redis
This is an exponential backtracking risk if keys are constructed in a certain way. Apostrophe is not constructing keys in this way, but redis should still be updated.