From ${URL} : The clusterLoadConfig function in cluster.c in Redis allows local attackers to cause a denial of service (out-of-bounds array index and application crash) or possibly have unspecified other impact by leveraging "limited access to the machine." Upstream issue: https://github.com/antirez/redis/issues/4278 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
PR: https://github.com/antirez/redis/pull/4365 Patch: https://github.com/antirez/redis/commit/ffcf7d5ab1e98d84c28af9bea7be76c6737820ad Comment on exploitability: https://github.com/antirez/redis/issues/4278#issuecomment-335095580 Patch looks like it's in 5.x, 6.x.
@maintainer(s), please bump to 5.0.9.
(In reply to Sam James from comment #2) > @maintainer(s), please bump to 5.0.9. In tree
Ready to stable?
Unable to check for sanity: > no match for package: dev-db/redis-5.0.9
Fine for me.
All sanity-check issues have been resolved
(In reply to Tomáš Mózes from comment #6) > Fine for me. OK.
hppa stable
arm stable
ppc/ppc64 stable
arm64 stable
amd64 stable
x86 stable. Maintainer(s), please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d93fc026adfcd8e9e46fd290fca412431554d01e commit d93fc026adfcd8e9e46fd290fca412431554d01e Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-08-27 18:11:40 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-08-27 18:11:40 +0000 dev-db/redis: drop vulnerable 5.0.8 Bug: https://bugs.gentoo.org/633824 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-db/redis/Manifest | 1 - dev-db/redis/redis-5.0.8.ebuild | 160 ---------------------------------------- 2 files changed, 161 deletions(-)
This issue was resolved and addressed in GLSA 202008-17 at https://security.gentoo.org/glsa/202008-17 by GLSA coordinator Sam James (sam_c).
