Date: Fri, 5 Jun 2015 12:04:11 +0200 From: Alessandro Ghedini <alessandro@...dini.me> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE Request: redis Lua sandbox escape and arbitrary code execution On Thu, Jun 04, 2015 at 05:56:09PM -0400, cve-assign@...re.org wrote: > > redis 3.0.2 and 2.8.21 have been released > > > https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ > > http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ > > https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 > > The Ben Murphy advisory has a long discussion of many software and > deployment issues. Do you have a specific viewpoint about what the CVE > ID should be for? In particular, is the essence of the request that > the Redis upstream vendor believes that loading Lua bytecode was, by > itself, inherently an implementation mistake in Redis, and is now > fixed by the > https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 > change? Yes, that was the idea. Cheers [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ