Bug 16095 - redis new security issue CVE-2015-4335
Summary: redis new security issue CVE-2015-4335
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/647490/
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK a...
Keywords: validated_update
Depends on:
Reported: 2015-06-08 19:50 CEST by David Walser
Modified: 2015-06-19 15:33 CEST (History)
4 users (show)

See Also:
Source RPM: redis-2.8.13-3.mga5.src.rpm
Status comment:


Description David Walser 2015-06-08 19:50:18 CEST
Debian has issued an advisory on June 6:

The issue is fixed upstream in 2.8.21.  It is unclear if 2.6 (Mageia 4) is affected.

The CVE was requested in this thread:


Steps to Reproduce:
David Walser 2015-06-08 19:50:24 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2015-06-14 17:31:58 CEST
The RedHat bug has a link to the upstream commit to fix this:

It also applies to the version we have in Mageia 4.

Patch committed in Mageia 4 and Cauldron SVN.  Freeze push requested.

Looking at Fedora's git log:

there appear to be some critical bugfixes in versions between 2.8.13 and 2.8.21, so you still might want to consider a full update at a later time.

Whiteboard: MGA5TOO => MGA5TOO, MGA4TOO
Severity: normal => critical

Comment 2 David Walser 2015-06-15 23:20:53 CEST
Patched packages uploaded for Mageia 4 and Cauldron.


Updated redis package fixes security vulnerability:

It was discovered that redis, a persistent key-value database, could execute
insecure Lua bytecode by way of the EVAL command. This could allow remote
attackers to break out of the Lua sandbox and execute arbitrary code


Updated packages in core/updates_testing:

from redis-2.6.5-4.1.mga4.src.rpm

CC: (none) => mageia
Version: Cauldron => 4
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 3 Herman Viaene 2015-06-17 09:53:52 CEST
MGA4-32 on AcerD6620 Xfce
No installation issues
Followed Redis quick start guide from redis.io/topics/quickstart, ping and set and get commands work OK

CC: (none) => herman.viaene
Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 4 Herman Viaene 2015-06-17 10:00:10 CEST
MGA4-64 on HP Probook 6555b KDE
No installation issues
Applied same tests as per Comment 3, all OK

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 5 Dave Hodgins 2015-06-18 20:01:26 CEST
Advisory added to svn. Can someone from the sysadmin team please push this update.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2015-06-19 15:33:46 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.