| Summary: | redis new security issue CVE-2013-7458 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/695958/ | ||
| Whiteboard: | MGA5-64-OK advisory | ||
| Source RPM: | redis-3.0.7-6.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
Session output for redis-cli
Raw commands for redis-cli - a small sample |
||
|
Description
David Walser
2016-08-08 21:59:52 CEST
David Walser
2016-08-08 22:00:00 CEST
Whiteboard:
(none) =>
MGA5TOO Patched packages submitted for Mageia 5 and Cauldron. Side note to Colin, please make sure to put the subrel right above %mkrel and not at the top of the SPEC file. Advisory: ======================== Updated redis package fixes security vulnerability: It was discovered that redis did not properly protect redis-cli history files; they were created by default with world-readable permissions (CVE-2013-7458). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7458 https://www.debian.org/security/2016/dsa-3634 ======================== Updated packages in core/updates_testing: ======================== redis-2.8.13-4.2.mga5 from redis-2.8.13-4.2.mga5.src.rpm Version:
Cauldron =>
5 Testing on x86_64 Before update tried out redis, which was already installed. There is an interactive tutorial online and you can see the attached sample.txt for a flavour of the commands. The tutorial text can be fed to redis-cli like so: $ redis-cli < tutorial Once a session has been completed the security vulnerability is demonstrated by $ ls -l ~/.rediscli_history -rw-r--r-- 1 lcl wireshark 108 Aug 26 00:08 .rediscli_history showing that the history file is world readable. Ran the update and removed the history file. $ sudo systemctl restart redis.service Ran the tutorial text through the command line interpreter again. $ ls -l .rediscli_history -rw------- 1 lcl wireshark 25 Aug 26 00:26 .rediscli_history This can be flagged as OK for 64-bits. CC:
(none) =>
tarazed25 Created attachment 8370 [details]
Session output for redis-cli
Len Lawrence
2016-08-26 01:32:08 CEST
Whiteboard:
(none) =>
MGA5-64-OK Created attachment 8371 [details]
Raw commands for redis-cli - a small sample
Use
$ redis-cli < tutorial
to see outputs for individual commands.
The output from the tutorial session looks a bit different if redis-cli is run interactively as it is meant to be, line by line. The method suggested is just a lazy way to repeat things. Validating this. Adding it to the pile for sysadmins to push. Thanks.
Len Lawrence
2016-08-26 23:08:23 CEST
Keywords:
(none) =>
validated_update Advisory uploaded. Whiteboard:
MGA5-64-OK =>
MGA5-64-OK advisory An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0295.html Status:
NEW =>
RESOLVED |