Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 Jun 2015 12:04:11 +0200
From: Alessandro Ghedini <>
Subject: Re: CVE Request: redis Lua sandbox escape and arbitrary code

On Thu, Jun 04, 2015 at 05:56:09PM -0400, wrote:
> > redis 3.0.2 and 2.8.21 have been released
> >!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ
> >
> >
> The Ben Murphy advisory has a long discussion of many software and
> deployment issues. Do you have a specific viewpoint about what the CVE
> ID should be for? In particular, is the essence of the request that
> the Redis upstream vendor believes that loading Lua bytecode was, by
> itself, inherently an implementation mistake in Redis, and is now
> fixed by the
> change?

Yes, that was the idea.


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ