Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20150604215609.811EC42E102@smtpvbsrv1.mitre.org>
Date: Thu,  4 Jun 2015 17:56:09 -0400 (EDT)
From: cve-assign@...re.org
To: alessandro@...dini.me
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: redis Lua sandbox escape and arbitrary code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> redis 3.0.2 and 2.8.21 have been released

> https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ
> http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
> https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411

The Ben Murphy advisory has a long discussion of many software and
deployment issues. Do you have a specific viewpoint about what the CVE
ID should be for? In particular, is the essence of the request that
the Redis upstream vendor believes that loading Lua bytecode was, by
itself, inherently an implementation mistake in Redis, and is now
fixed by the
https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411
change?

By way of background: we have previously tried to gather information
for assigning CVE IDs to the underlying bytecode security concerns in
Lua (see the http://openwall.com/lists/oss-security/2014/08/27/2
post), but this was unsuccessful. If the currently needed CVE ID should
be only about Redis, as mentioned in the above paragraph, then we will
not be revisiting those Lua issues now.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVcMkAAAoJEKllVAevmvmshgoH/0d6gd3qhLrK615YkgfLRCnU
bAuBrbBRf3aCO4qQWfdvdluSDb4pf8Uc2ECC9c1eHJfqRNIvkWgq+9MYWV0S1Jgz
O1WjYgJ5QbamqgECPUluj3yrZdefLwIVNxKRjfzIa5uZS/e4zbWyYcWPEuXsU6YD
7PiFDRx0S6k1OUpw1/051uV9p/Q06PZcPKtQq4qIH2gjcZO1MQn/C8T0y+tNVNKq
iUyG84esvBK04AjakUNppHSYTiBcW7dGEWhwd7cvdvXWnF+g3s/PBZNve3B5czIZ
klk0DqXHtTaYvSF4ERY2cjMKU3GBJWq4dQ2kkfXBDjm28oqG2Nit8APETMWpNHU=
=J2bY
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.