16095 – redis new security issue CVE-2015-4335

Bug 16095 - redis new security issue CVE-2015-4335

Summary: redis new security issue CVE-2015-4335

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/647490/
Whiteboard:	has_procedure MGA4-32-OK MGA4-64-OK a...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-06-08 19:50 CEST by David Walser
Modified:	2015-06-19 15:33 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	redis-2.8.13-3.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-06-08 19:50:18 CEST

Debian has issued an advisory on June 6:
https://www.debian.org/security/2015/dsa-3279

The issue is fixed upstream in 2.8.21.  It is unclear if 2.6 (Mageia 4) is affected.

The CVE was requested in this thread:
http://openwall.com/lists/oss-security/2015/06/04/8

Reproducible: 

Steps to Reproduce:

David Walser 2015-06-08 19:50:24 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2015-06-14 17:31:58 CEST

The RedHat bug has a link to the upstream commit to fix this:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-4335

It also applies to the version we have in Mageia 4.

Patch committed in Mageia 4 and Cauldron SVN.  Freeze push requested.

Looking at Fedora's git log:
http://pkgs.fedoraproject.org/cgit/redis.git/log/?h=f21

there appear to be some critical bugfixes in versions between 2.8.13 and 2.8.21, so you still might want to consider a full update at a later time.

Whiteboard: MGA5TOO => MGA5TOO, MGA4TOO
Severity: normal => critical

Comment 2 David Walser 2015-06-15 23:20:53 CEST

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated redis package fixes security vulnerability:

It was discovered that redis, a persistent key-value database, could execute
insecure Lua bytecode by way of the EVAL command. This could allow remote
attackers to break out of the Lua sandbox and execute arbitrary code
(CVE-2015-4335).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4335
https://www.debian.org/security/2015/dsa-3279
========================

Updated packages in core/updates_testing:
========================
redis-2.6.5-4.1.mga4

from redis-2.6.5-4.1.mga4.src.rpm

CC: (none) => mageia
Version: Cauldron => 4
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 3 Herman Viaene 2015-06-17 09:53:52 CEST

MGA4-32 on AcerD6620 Xfce
No installation issues
Followed Redis quick start guide from redis.io/topics/quickstart, ping and set and get commands work OK

CC: (none) => herman.viaene
Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 4 Herman Viaene 2015-06-17 10:00:10 CEST

MGA4-64 on HP Probook 6555b KDE
No installation issues
Applied same tests as per Comment 3, all OK

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 5 Dave Hodgins 2015-06-18 20:01:26 CEST

Advisory added to svn. Can someone from the sysadmin team please push this update.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2015-06-19 15:33:46 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0244.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.