On Tue, Oct 27, 2020 at 07:18:30PM +0100, Jeremie Courreges-Anglas wrote:
> On Tue, Oct 27 2020, Theo Buehler <tb@theobuehler.org> wrote:
> > Raltively simple update to Redis 6.0.9.
> >
> > Upgrade urgency is MODERATE due to a local patch for zmalloc. Thanks to
> > the upstream fix, we can now remove it. We need a new trivial time_t
> > patch.
>
> [...]
>
> > Index: patches/patch-src_debug_c
> > ===================================================================
> > RCS file: patches/patch-src_debug_c
> > diff -N patches/patch-src_debug_c
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_debug_c 27 Oct 2020 12:59:32 -0000
> > @@ -0,0 +1,16 @@
> > +$OpenBSD$
> > +
> > +time_t is long long on OpenBSD
> > +
> > +Index: src/debug.c
> > +--- src/debug.c.orig
> > ++++ src/debug.c
> > +@@ -408,7 +408,7 @@ NULL
> > + } else if (!strcasecmp(c->argv[1]->ptr,"segfault")) {
> > + *((char*)-1) = 'x';
> > + } else if (!strcasecmp(c->argv[1]->ptr,"panic")) {
> > +- serverPanic("DEBUG PANIC called at Unix time %ld", time(NULL));
> > ++ serverPanic("DEBUG PANIC called at Unix time %lld", time(NULL));
>
> The preferred approach would be
>
> ++ serverPanic("DEBUG PANIC called at Unix time %lld", (long long)time(NULL));
>
> which can usually be pushed upstream. redis seems to use "long long"
> already so it shouldn't be a problem.
Alright I'll add the cast before commit.
There's another time_t patch in the port already. If you see a nicer
variant for that (should we just use long long instead of time_t?), feel
free to fix that.
$OpenBSD: patch-src_networking_c,v 1.4 2020/09/03 04:29:27 tb Exp $
time_t is long long, so use llabs to avoid truncation
Index: src/networking.c
--- src/networking.c.orig
+++ src/networking.c
@@ -2651,7 +2651,7 @@ void securityWarningCommand(client *c) {
static time_t logged_time;
time_t now = time(NULL);
- if (labs(now-logged_time) > 60) {
+ if (llabs(now-logged_time) > 60) {
serverLog(LL_WARNING,"Possible SECURITY ATTACK detected. It looks like somebody is sending POST or Host: commands to Redis. This is likely due to an attacker attempting to use Cross Protocol Scripting to compromise your Redis instance. Connection aborted.");
logged_time = now;
}
No comments:
Post a Comment