Summary: | <dev-db/redis-{2.8.21,3.0.2}: Lua sandbox escape and arbitrary code execution | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bugs, hydrapolic, lu_zero, proxy-maint, robbat2, ultrabug |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1228327 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 565188 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2015-06-05 09:11:53 UTC
A work in progress ebuild can be found here: https://github.com/gentoo/gentoo-portage-rsync-mirror/pull/120 I'll gun at finishing it tomorrow. CVE-2015-4335 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4335): Redis before 2.8.1 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command. What is the status with 2.8.21 please? 2.8.21 in the tree. Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself. Fixed versions are in tree however not stabilized everywhere. However for stabilization we are waiting for =dev-db/redis-2.8.24 which should enter tree as part of bug 565188. Added to existing GLSA request. This issue was resolved and addressed in GLSA 201702-16 at https://security.gentoo.org/glsa/201702-16 by GLSA coordinator Thomas Deutschmann (whissi). |