CVE-2020-13151: Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service. Looks like all of our versions are vulnerable according to URL. Please bump, else last-rite or drop to m-n if this isn't being maintained. I see this was last touched almost two years ago by a non-maintainer due to maintainer timeout, and this package has several bugs open for years without a touch from the maintainer.
*** Bug 758191 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ef2b35a7882d32739436dec9de3283d162b8d6a commit 3ef2b35a7882d32739436dec9de3283d162b8d6a Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-12-18 08:47:50 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-12-18 09:00:05 +0000 package.mask: Last rite dev-db/aerospike-server-community Bug: https://bugs.gentoo.org/736050 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a467253e33c4cd9d4b65cd6fb088fa69952b115 commit 7a467253e33c4cd9d4b65cd6fb088fa69952b115 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-01-19 08:37:19 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-01-19 08:39:09 +0000 dev-db/aerospike-server-community: Remove last-rited pkg Bug: https://bugs.gentoo.org/736050 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-db/aerospike-server-community/Manifest | 1 - .../aerospike-server-community-4.1.0.1.ebuild | 71 ------------------ .../aerospike-server-community-9999.ebuild | 84 ---------------------- .../files/3.5.8-use-system-libs.patch | 63 ---------------- .../files/aerospike.conf | 70 ------------------ .../files/aerospike.init | 53 -------------- .../files/aerospike.logrotate | 10 --- .../files/aerospike_mesh.conf | 73 ------------------- .../files/aerospike_ssd.conf | 68 ------------------ dev-db/aerospike-server-community/metadata.xml | 10 --- profiles/package.mask | 5 -- 11 files changed, 508 deletions(-)