Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jul 2016 09:32:34 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Subject: CVE Request: redis: World readable .rediscli_history


>From the Debian bug report at
> redis-cli stores its history in ~/.rediscli_history, this file is
> created with permissions 0644. Home folders are world readable as well
> in debian, so any user can access other users redis history, including
> AUTH commands, which include credentials.
> I've contacted upstream on 2016-05-30 without any reaction at all and
> discovered this bug was first reported 3 years ago, still unfixed.
> @RedisLabs keeps referring to their paid support on twitter.
> Demo: `cat /home/*/.rediscli_history`

Upstream report:

Could you please assign a CVE for this issue in redis?


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ