Bug 16095

Summary: redis new security issue CVE-2015-4335
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, herman.viaene, mageia, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/647490/
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK advisory
Source RPM: redis-2.8.13-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-06-08 19:50:18 CEST
Debian has issued an advisory on June 6:
https://www.debian.org/security/2015/dsa-3279

The issue is fixed upstream in 2.8.21.  It is unclear if 2.6 (Mageia 4) is affected.

The CVE was requested in this thread:
http://openwall.com/lists/oss-security/2015/06/04/8

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-08 19:50:24 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2015-06-14 17:31:58 CEST
The RedHat bug has a link to the upstream commit to fix this:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-4335

It also applies to the version we have in Mageia 4.

Patch committed in Mageia 4 and Cauldron SVN.  Freeze push requested.

Looking at Fedora's git log:
http://pkgs.fedoraproject.org/cgit/redis.git/log/?h=f21

there appear to be some critical bugfixes in versions between 2.8.13 and 2.8.21, so you still might want to consider a full update at a later time.

Whiteboard: MGA5TOO => MGA5TOO, MGA4TOO
Severity: normal => critical

Comment 2 David Walser 2015-06-15 23:20:53 CEST
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated redis package fixes security vulnerability:

It was discovered that redis, a persistent key-value database, could execute
insecure Lua bytecode by way of the EVAL command. This could allow remote
attackers to break out of the Lua sandbox and execute arbitrary code
(CVE-2015-4335).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4335
https://www.debian.org/security/2015/dsa-3279
========================

Updated packages in core/updates_testing:
========================
redis-2.6.5-4.1.mga4

from redis-2.6.5-4.1.mga4.src.rpm

CC: (none) => mageia
Version: Cauldron => 4
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 3 Herman Viaene 2015-06-17 09:53:52 CEST
MGA4-32 on AcerD6620 Xfce
No installation issues
Followed Redis quick start guide from redis.io/topics/quickstart, ping and set and get commands work OK

CC: (none) => herman.viaene
Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 4 Herman Viaene 2015-06-17 10:00:10 CEST
MGA4-64 on HP Probook 6555b KDE
No installation issues
Applied same tests as per Comment 3, all OK

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 5 Dave Hodgins 2015-06-18 20:01:26 CEST
Advisory added to svn. Can someone from the sysadmin team please push this update.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2015-06-19 15:33:46 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0244.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED