20270 – redis new security issue fixed upstream in 3.2.7 (CVE-2016-10517)

Bug 20270 - redis new security issue fixed upstream in 3.2.7 (CVE-2016-10517)

Summary: redis new security issue fixed upstream in 3.2.7 (CVE-2016-10517)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Joseph Wang
QA Contact:	Sec team

URL:	https://lwn.net/Vulnerabilities/714127/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-02-12 16:22 CET by David Walser
Modified:	2017-10-25 17:27 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	redis-3.0.7-7.mga6.src.rpm
CVE:	20270
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-02-12 16:22:38 CET

Upstream has issued an advisory on January 31:
https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/

Version 3.2.8 has been released today (February 12) fixing two critical bugs:
https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES

Fedora has issued an advisory for this on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AMRFP56SC5RYK56GYXUJ2NE6XJOBMBYL/

It looks like the Cauldron package should probably be updated to 3.2.8.

Comment 1 David Walser 2017-02-22 19:57:50 CET

Gentoo has issued an advisory on February 21:
https://security.gentoo.org/glsa/201702-16

It fixes an issue (CVE-2016-8339) that was fixed upstream in 3.2.4.

LWN reference:
https://lwn.net/Vulnerabilities/715169/

Comment 2 Nicolas Lécureuil 2017-04-25 09:55:27 CEST

pushed in cauldron

CC: (none) => mageia
CVE: (none) => 20270
Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 3 David Walser 2017-04-25 11:51:40 CEST

Upload rejected:
 - systemd-unit-in-etc /etc/systemd/system/redis.service.d/limit.conf
 - systemd-unit-in-etc /etc/systemd/system/redis-sentinel.service.d/limit.conf
 - systemd-unit-in-etc /etc/systemd/system/redis-sentinel.service.d
 - systemd-unit-in-etc /etc/systemd/system/redis.service.d
 - non-ghost-in-var-run /var/run/redis

Those files in /etc need to be moved to /usr/lib and it needs a tmpfiles snippet for the /var/run dir.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 4 Nicolas Lécureuil 2017-05-03 23:54:28 CEST

ok in cauldron now

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2017-10-25 17:27:18 CEST

This has been assigned CVE-2016-10517:
http://openwall.com/lists/oss-security/2017/10/25/1

Summary: redis new security issue fixed upstream in 3.2.7 => redis new security issue fixed upstream in 3.2.7 (CVE-2016-10517)

Note You need to log in before you can comment on or make changes to this bug.