From ${URL} : New Redis release (https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ) fixes a critical security issue that allows remote code execution with the account that runs Redis permissions. Upstream patch that fixes this: https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 CVE request: http://seclists.org/oss-sec/2015/q2/639 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
A work in progress ebuild can be found here: https://github.com/gentoo/gentoo-portage-rsync-mirror/pull/120 I'll gun at finishing it tomorrow.
CVE-2015-4335 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4335): Redis before 2.8.1 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
What is the status with 2.8.21 please?
2.8.21 in the tree. Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Fixed versions are in tree however not stabilized everywhere. However for stabilization we are waiting for =dev-db/redis-2.8.24 which should enter tree as part of bug 565188.
Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201702-16 at https://security.gentoo.org/glsa/201702-16 by GLSA coordinator Thomas Deutschmann (whissi).