Debian has issued an advisory on June 6: https://www.debian.org/security/2015/dsa-3279 The issue is fixed upstream in 2.8.21. It is unclear if 2.6 (Mageia 4) is affected. The CVE was requested in this thread: http://openwall.com/lists/oss-security/2015/06/04/8 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
The RedHat bug has a link to the upstream commit to fix this: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-4335 It also applies to the version we have in Mageia 4. Patch committed in Mageia 4 and Cauldron SVN. Freeze push requested. Looking at Fedora's git log: http://pkgs.fedoraproject.org/cgit/redis.git/log/?h=f21 there appear to be some critical bugfixes in versions between 2.8.13 and 2.8.21, so you still might want to consider a full update at a later time.
Whiteboard: MGA5TOO => MGA5TOO, MGA4TOOSeverity: normal => critical
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated redis package fixes security vulnerability: It was discovered that redis, a persistent key-value database, could execute insecure Lua bytecode by way of the EVAL command. This could allow remote attackers to break out of the Lua sandbox and execute arbitrary code (CVE-2015-4335). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4335 https://www.debian.org/security/2015/dsa-3279 ======================== Updated packages in core/updates_testing: ======================== redis-2.6.5-4.1.mga4 from redis-2.6.5-4.1.mga4.src.rpm
CC: (none) => mageiaVersion: Cauldron => 4Assignee: mageia => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
MGA4-32 on AcerD6620 Xfce No installation issues Followed Redis quick start guide from redis.io/topics/quickstart, ping and set and get commands work OK
CC: (none) => herman.viaeneWhiteboard: (none) => has_procedure MGA4-32-OK
MGA4-64 on HP Probook 6555b KDE No installation issues Applied same tests as per Comment 3, all OK
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Advisory added to svn. Can someone from the sysadmin team please push this update.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0244.html
Status: NEW => RESOLVEDResolution: (none) => FIXED