Date: Thu, 28 Jul 2016 09:32:34 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: CVE Request: redis: World readable .rediscli_history Hi >From the Debian bug report at https://bugs.debian.org/832460: > redis-cli stores its history in ~/.rediscli_history, this file is > created with permissions 0644. Home folders are world readable as well > in debian, so any user can access other users redis history, including > AUTH commands, which include credentials. > > I've contacted upstream on 2016-05-30 without any reaction at all and > discovered this bug was first reported 3 years ago, still unfixed. > @RedisLabs keeps referring to their paid support on twitter. > > Demo: `cat /home/*/.rediscli_history` Upstream report: https://github.com/antirez/redis/issues/3284 Could you please assign a CVE for this issue in redis? Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.