Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 551274 (CVE-2015-4335) - <dev-db/redis-{2.8.21,3.0.2}: Lua sandbox escape and arbitrary code execution
Summary: <dev-db/redis-{2.8.21,3.0.2}: Lua sandbox escape and arbitrary code execution
Status: RESOLVED FIXED
Alias: CVE-2015-4335
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: CVE-2015-8080
Blocks:
  Show dependency tree
 
Reported: 2015-06-05 09:11 UTC by Agostino Sarubbo
Modified: 2017-02-20 23:35 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-06-05 09:11:53 UTC
From ${URL} :

New Redis release (https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ) fixes a 
critical security issue that allows remote code execution with the account that runs Redis 
permissions.
Upstream patch that fixes this:
https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411

CVE request: http://seclists.org/oss-sec/2015/q2/639


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Johan Bergström 2015-06-05 10:44:27 UTC
A work in progress ebuild can be found here: https://github.com/gentoo/gentoo-portage-rsync-mirror/pull/120

I'll gun at finishing it tomorrow.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 12:20:11 UTC
CVE-2015-4335 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4335):
  Redis before 2.8.1 and 3.x before 3.0.2 allows remote attackers to execute
  arbitrary Lua bytecode via the eval command.
Comment 3 Tomáš Mózes 2015-07-09 12:26:55 UTC
What is the status with 2.8.21 please?
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 17:07:09 UTC
2.8.21 in the tree. Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2016-10-01 18:39:48 UTC
Fixed versions are in tree however not stabilized everywhere.

However for stabilization we are waiting for =dev-db/redis-2.8.24 which should enter tree as part of bug 565188.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-10 22:34:20 UTC
Added to existing GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-02-20 23:35:05 UTC
This issue was resolved and addressed in
 GLSA 201702-16 at https://security.gentoo.org/glsa/201702-16
by GLSA coordinator Thomas Deutschmann (whissi).