See linked commit and PR: https://github.com/antirez/redis/pull/6875. "The vulnerability is from the Lua source code that you already patched in Dec. 2015. However, as a result of the Lua update in May 2018 (commit: 1eb08bc), the vulnerability patch was removed during the update process."
This also affects the 5.x series, with a backport commit (no release yet): https://github.com/antirez/redis/commit/16b2d07f0a9b58027611dab7f97788d37cb5ab84 Releases since 5.0-rc3, including all of 6.x until the new 6.0.3 (just released, not in tree), are vulnerable.
What's the plan for 5.x, btw?
(In reply to Sam James (sec padawan) from comment #2) > What's the plan for 5.x, btw? The fix is included in version 5.0.9 (in tree).
According to the changelog, it was included in 5.0.8 too (https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES) ================================================================================ Redis 5.0.8 Released Thu Mar 12 16:05:41 CET 2020 ================================================================================ Upgrade urgency HIGH: This release fixes security issues. ... Seunghoon Woo in commit 16b2d07f: [FIX] revisit CVE-2015-8080 vulnerability 1 file changed, 6 insertions(+), 4 deletions(-)
(In reply to Tomáš Mózes from comment #4) > According to the changelog, it was included in 5.0.8 too > (https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES) > > ============================================================================= > === > Redis 5.0.8 Released Thu Mar 12 16:05:41 CET 2020 > ============================================================================= > === > > Upgrade urgency HIGH: This release fixes security issues. > > ... > > Seunghoon Woo in commit 16b2d07f: > [FIX] revisit CVE-2015-8080 vulnerability > 1 file changed, 6 insertions(+), 4 deletions(-) Thank you. @maintainer(s), please cleanup.
This issue was resolved and addressed in GLSA 202008-17 at https://security.gentoo.org/glsa/202008-17 by GLSA coordinator Sam James (sam_c).