Bug 20270

Summary: redis new security issue fixed upstream in 3.2.7 (CVE-2016-10517)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Joseph Wang <joequant>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/714127/
Whiteboard:
Source RPM: redis-3.0.7-7.mga6.src.rpm CVE: 20270
Status comment:

Description David Walser 2017-02-12 16:22:38 CET 
Upstream has issued an advisory on January 31:
https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/

Version 3.2.8 has been released today (February 12) fixing two critical bugs:
https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES

Fedora has issued an advisory for this on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AMRFP56SC5RYK56GYXUJ2NE6XJOBMBYL/

It looks like the Cauldron package should probably be updated to 3.2.8.
Comment 1 David Walser 2017-02-22 19:57:50 CET 
Gentoo has issued an advisory on February 21:
https://security.gentoo.org/glsa/201702-16

It fixes an issue (CVE-2016-8339) that was fixed upstream in 3.2.4.

LWN reference:
https://lwn.net/Vulnerabilities/715169/
Comment 2 Nicolas Lécureuil 2017-04-25 09:55:27 CEST 
pushed in cauldron

CC: (none) => mageia
CVE: (none) => 20270
Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 3 David Walser 2017-04-25 11:51:40 CEST 
Upload rejected:
 - systemd-unit-in-etc /etc/systemd/system/redis.service.d/limit.conf
 - systemd-unit-in-etc /etc/systemd/system/redis-sentinel.service.d/limit.conf
 - systemd-unit-in-etc /etc/systemd/system/redis-sentinel.service.d
 - systemd-unit-in-etc /etc/systemd/system/redis.service.d
 - non-ghost-in-var-run /var/run/redis

Those files in /etc need to be moved to /usr/lib and it needs a tmpfiles snippet for the /var/run dir.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 4 Nicolas Lécureuil 2017-05-03 23:54:28 CEST 
ok in cauldron now

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2017-10-25 17:27:18 CEST 
This has been assigned CVE-2016-10517:
http://openwall.com/lists/oss-security/2017/10/25/1

Summary: redis new security issue fixed upstream in 3.2.7 => redis new security issue fixed upstream in 3.2.7 (CVE-2016-10517)