Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 4 Jun 2015 15:46:18 +0200
From: Alessandro Ghedini <>
Subject: CVE Request: redis Lua sandbox escape and arbitrary code execution


redis 3.0.2 and 2.8.21 have been released with the following changelog entry:

> Upgrade urgency: HIGH for Redis because of a security issue. 
>                  LOW for Sentinel. 
> * [FIX] Critical security issue fix by Ben Murphy:!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ

The vulnerability is explained in more detail at:

As far as I understand it, the Lua interpreter allows the user to load insecure
bytecode that can be used to bypass the redis Lua sandbox.

The upstream patch fixing this is:

I don't think a CVE has been assigned for this yet.


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ