Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 Jun 2015 12:04:11 +0200
From: Alessandro Ghedini <alessandro@...dini.me>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: redis Lua sandbox escape and arbitrary code
 execution

On Thu, Jun 04, 2015 at 05:56:09PM -0400, cve-assign@...re.org wrote:
> > redis 3.0.2 and 2.8.21 have been released
> 
> > https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ
> > http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
> > https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411
> 
> The Ben Murphy advisory has a long discussion of many software and
> deployment issues. Do you have a specific viewpoint about what the CVE
> ID should be for? In particular, is the essence of the request that
> the Redis upstream vendor believes that loading Lua bytecode was, by
> itself, inherently an implementation mistake in Redis, and is now
> fixed by the
> https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411
> change?

Yes, that was the idea.

Cheers

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ