Date: Thu, 4 Jun 2015 17:56:09 -0400 (EDT) From: cve-assign@...re.org To: alessandro@...dini.me Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: redis Lua sandbox escape and arbitrary code execution -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > redis 3.0.2 and 2.8.21 have been released > https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ > http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ > https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 The Ben Murphy advisory has a long discussion of many software and deployment issues. Do you have a specific viewpoint about what the CVE ID should be for? In particular, is the essence of the request that the Redis upstream vendor believes that loading Lua bytecode was, by itself, inherently an implementation mistake in Redis, and is now fixed by the https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 change? By way of background: we have previously tried to gather information for assigning CVE IDs to the underlying bytecode security concerns in Lua (see the http://openwall.com/lists/oss-security/2014/08/27/2 post), but this was unsuccessful. If the currently needed CVE ID should be only about Redis, as mentioned in the above paragraph, then we will not be revisiting those Lua issues now. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVcMkAAAoJEKllVAevmvmshgoH/0d6gd3qhLrK615YkgfLRCnU bAuBrbBRf3aCO4qQWfdvdluSDb4pf8Uc2ECC9c1eHJfqRNIvkWgq+9MYWV0S1Jgz O1WjYgJ5QbamqgECPUluj3yrZdefLwIVNxKRjfzIa5uZS/e4zbWyYcWPEuXsU6YD 7PiFDRx0S6k1OUpw1/051uV9p/Q06PZcPKtQq4qIH2gjcZO1MQn/C8T0y+tNVNKq iUyG84esvBK04AjakUNppHSYTiBcW7dGEWhwd7cvdvXWnF+g3s/PBZNve3B5czIZ klk0DqXHtTaYvSF4ERY2cjMKU3GBJWq4dQ2kkfXBDjm28oqG2Nit8APETMWpNHU= =J2bY -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.