CVE-2023-45145 - On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebed5222738c6ae9b51f736f5d2f31d03035b39f commit ebed5222738c6ae9b51f736f5d2f31d03035b39f Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2023-10-19 07:49:41 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-29 04:18:51 +0000 dev-db/redis: add 7.2.2 Bug: https://bugs.gentoo.org/915989 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Closes: https://github.com/gentoo/gentoo/pull/33404 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/redis-7.2.2.ebuild | 200 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 201 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=91f0b8ae6c61e55d84387ba66784c0cd96d7f980 commit 91f0b8ae6c61e55d84387ba66784c0cd96d7f980 Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2023-10-19 07:29:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-29 04:18:51 +0000 dev-db/redis: add 7.0.14 Bug: https://bugs.gentoo.org/915989 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/redis-7.0.14.ebuild | 187 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5afcfff20f65dcea36883eef57870db3f02949f commit b5afcfff20f65dcea36883eef57870db3f02949f Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2023-10-19 07:24:57 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-29 04:18:50 +0000 dev-db/redis: add 6.2.14 Bug: https://bugs.gentoo.org/915989 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/redis-6.2.14.ebuild | 195 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 196 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40f0aeee0d9ab31c81a869f258821733048f7423 commit 40f0aeee0d9ab31c81a869f258821733048f7423 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-01-09 14:12:04 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-01-09 14:23:54 +0000 dev-db/redis: drop versions This commit drops most of vulnerable versions, however, security cleanups are still blocked because of 7.0.5 which is the last stable version for arm. Bug: https://bugs.gentoo.org/891169 Bug: https://bugs.gentoo.org/898464 Bug: https://bugs.gentoo.org/902501 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Bug: https://bugs.gentoo.org/913741 Bug: https://bugs.gentoo.org/915989 Bug: https://bugs.gentoo.org/921662 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/Manifest | 7 - dev-db/redis/files/redis-6.2.7-cve-2022-3647.patch | 173 ------------------ dev-db/redis/redis-6.2.11.ebuild | 195 -------------------- dev-db/redis/redis-6.2.13.ebuild | 195 -------------------- dev-db/redis/redis-6.2.7-r2.ebuild | 198 -------------------- dev-db/redis/redis-7.0.12.ebuild | 187 ------------------- dev-db/redis/redis-7.0.13.ebuild | 187 ------------------- dev-db/redis/redis-7.0.9.ebuild | 187 ------------------- dev-db/redis/redis-7.2.2.ebuild | 200 --------------------- 9 files changed, 1529 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a7e6b8769400cbbd7e4f3161d8c7dfdd62af8af commit 3a7e6b8769400cbbd7e4f3161d8c7dfdd62af8af Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-01-10 10:05:04 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-01-10 10:16:11 +0000 dev-db/redis: destabilize 7.0.5-r1 for ~arm Dropping the stable keyword for arm architecture due to a lack of security stabilization for over a year. Bug: https://bugs.gentoo.org/891169 Bug: https://bugs.gentoo.org/898464 Bug: https://bugs.gentoo.org/902501 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Bug: https://bugs.gentoo.org/913741 Bug: https://bugs.gentoo.org/915548#c6 Bug: https://bugs.gentoo.org/915989 Bug: https://bugs.gentoo.org/918847 Bug: https://bugs.gentoo.org/921662 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/redis-7.0.5-r1.ebuild | 4 ++-- profiles/arch/arm/package.use.stable.mask | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8942d96c5ff1a45db0922d9e5e4403b050494bf6 commit 8942d96c5ff1a45db0922d9e5e4403b050494bf6 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-01-10 12:25:59 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-01-10 12:27:32 +0000 dev-db/redis: drop 7.0.5-r1 Bug: https://bugs.gentoo.org/891169 Bug: https://bugs.gentoo.org/898464 Bug: https://bugs.gentoo.org/902501 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Bug: https://bugs.gentoo.org/913741 Bug: https://bugs.gentoo.org/915989 Bug: https://bugs.gentoo.org/921662 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/Manifest | 1 - .../files/redis-7.0.4-replica-tests-fix.patch | 61 ------- dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch | 173 ------------------- dev-db/redis/redis-7.0.5-r1.ebuild | 191 --------------------- 4 files changed, 426 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5a0d6d701e1e513f689c9b698b4225e0b36422e commit d5a0d6d701e1e513f689c9b698b4225e0b36422e Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-03-13 21:54:50 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-03-13 21:56:30 +0000 dev-db/redis: drop 7.0.14-r1, 7.2.1-r1, 7.2.3-r1 Bug: https://bugs.gentoo.org/921662 Bug: https://bugs.gentoo.org/915989 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/Manifest | 3 - dev-db/redis/redis-7.0.14-r1.ebuild | 187 --------------------------------- dev-db/redis/redis-7.2.1-r1.ebuild | 200 ------------------------------------ dev-db/redis/redis-7.2.3-r1.ebuild | 200 ------------------------------------ 4 files changed, 590 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=bbba9c645e3767933f8d769ab743fca8728487ab commit bbba9c645e3767933f8d769ab743fca8728487ab Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-07 06:33:13 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-07 06:33:27 +0000 [ GLSA 202408-05 ] Redis: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/891169 Bug: https://bugs.gentoo.org/898464 Bug: https://bugs.gentoo.org/902501 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Bug: https://bugs.gentoo.org/913741 Bug: https://bugs.gentoo.org/915989 Bug: https://bugs.gentoo.org/921662 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-05.xml | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+)