Summary: | <dev-db/redis-{5.0.8,6.0.3}: Incomplete fix for CVE-2015-8080 (CVE-2020-14147) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hydrapolic, robbat2 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/antirez/redis/commit/ef764dde1cca2f25d00686673d1bc89448819571 | ||
See Also: |
https://github.com/gentoo/gentoo/pull/15924 https://bugs.gentoo.org/show_bug.cgi?id=633824 |
||
Whiteboard: | B3 [glsa+ cleanup cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 633824 | ||
Bug Blocks: |
Description
Sam James
2020-05-23 13:34:37 UTC
This also affects the 5.x series, with a backport commit (no release yet): https://github.com/antirez/redis/commit/16b2d07f0a9b58027611dab7f97788d37cb5ab84 Releases since 5.0-rc3, including all of 6.x until the new 6.0.3 (just released, not in tree), are vulnerable. What's the plan for 5.x, btw? (In reply to Sam James (sec padawan) from comment #2) > What's the plan for 5.x, btw? The fix is included in version 5.0.9 (in tree). According to the changelog, it was included in 5.0.8 too (https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES) ================================================================================ Redis 5.0.8 Released Thu Mar 12 16:05:41 CET 2020 ================================================================================ Upgrade urgency HIGH: This release fixes security issues. ... Seunghoon Woo in commit 16b2d07f: [FIX] revisit CVE-2015-8080 vulnerability 1 file changed, 6 insertions(+), 4 deletions(-) (In reply to Tomáš Mózes from comment #4) > According to the changelog, it was included in 5.0.8 too > (https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES) > > ============================================================================= > === > Redis 5.0.8 Released Thu Mar 12 16:05:41 CET 2020 > ============================================================================= > === > > Upgrade urgency HIGH: This release fixes security issues. > > ... > > Seunghoon Woo in commit 16b2d07f: > [FIX] revisit CVE-2015-8080 vulnerability > 1 file changed, 6 insertions(+), 4 deletions(-) Thank you. @maintainer(s), please cleanup. This issue was resolved and addressed in GLSA 202008-17 at https://security.gentoo.org/glsa/202008-17 by GLSA coordinator Sam James (sam_c). |