Debian has issued an advisory on July 30: https://www.debian.org/security/2016/dsa-3634 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Patched packages submitted for Mageia 5 and Cauldron. Side note to Colin, please make sure to put the subrel right above %mkrel and not at the top of the SPEC file. Advisory: ======================== Updated redis package fixes security vulnerability: It was discovered that redis did not properly protect redis-cli history files; they were created by default with world-readable permissions (CVE-2013-7458). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7458 https://www.debian.org/security/2016/dsa-3634 ======================== Updated packages in core/updates_testing: ======================== redis-2.8.13-4.2.mga5 from redis-2.8.13-4.2.mga5.src.rpm
Version: Cauldron => 5Assignee: mageia => qa-bugsWhiteboard: MGA5TOO => (none)
Testing on x86_64 Before update tried out redis, which was already installed. There is an interactive tutorial online and you can see the attached sample.txt for a flavour of the commands. The tutorial text can be fed to redis-cli like so: $ redis-cli < tutorial Once a session has been completed the security vulnerability is demonstrated by $ ls -l ~/.rediscli_history -rw-r--r-- 1 lcl wireshark 108 Aug 26 00:08 .rediscli_history showing that the history file is world readable. Ran the update and removed the history file. $ sudo systemctl restart redis.service Ran the tutorial text through the command line interpreter again. $ ls -l .rediscli_history -rw------- 1 lcl wireshark 25 Aug 26 00:26 .rediscli_history This can be flagged as OK for 64-bits.
CC: (none) => tarazed25
Created attachment 8370 [details] Session output for redis-cli
Whiteboard: (none) => MGA5-64-OK
Created attachment 8371 [details] Raw commands for redis-cli - a small sample Use $ redis-cli < tutorial to see outputs for individual commands.
The output from the tutorial session looks a bit different if redis-cli is run interactively as it is meant to be, line by line. The method suggested is just a lazy way to repeat things.
Validating this. Adding it to the pile for sysadmins to push. Thanks.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0295.html
Status: NEW => RESOLVEDResolution: (none) => FIXED