oss-sec mailing list archives
Re: CVE Request: redis Lua sandbox escape and arbitrary code execution
From: cve-assign () mitre org
Date: Fri, 5 Jun 2015 07:12:00 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
redis 3.0.2 and 2.8.21 have been released
https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411
is the essence of the request that the Redis upstream vendor believes that loading Lua bytecode was, by itself, inherently an implementation mistake in Redis, and is now fixed by the https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 change?
Yes, that was the idea.
Use CVE-2015-4335. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVcYOgAAoJEKllVAevmvmsFBQIAKvwMAC/mxFC6McmnC7nNwc6 uyMWTis2RaG141VpwpoKfwfHlgq3tSZohchsU1phVwQgxgv6bd+9ZkufoxXl6rsu V6pGCcb24eb5WHyHdZGzlqU5nTNYkjlerYcdr/YdAiIL9rNj8m1/7E5IwBRHRbgb OJ1bnMsjwo4DOKKyhT8OouP4XuM9SgAUWQrCMF7VaaocHVJsV9gwleZTKqYUML+6 BXSEphTFao1gupJgS6yB0sHvle6N7Dl8Wn/PllmP6a8C0WQaC5304PHPfFjpOWwu w/XhbUg8ZMElJZQDKZtHR3uTs8VEst077zip+upGwutI96uUxnsHkR/7aqBpIqI= =yfeP -----END PGP SIGNATURE-----
Current thread:
- CVE Request: redis Lua sandbox escape and arbitrary code execution Alessandro Ghedini (Jun 04)
- Re: CVE Request: redis Lua sandbox escape and arbitrary code execution cve-assign (Jun 04)
- Re: CVE Request: redis Lua sandbox escape and arbitrary code execution Alessandro Ghedini (Jun 05)
- Re: CVE Request: redis Lua sandbox escape and arbitrary code execution cve-assign (Jun 05)
- Re: CVE Request: redis Lua sandbox escape and arbitrary code execution Alessandro Ghedini (Jun 05)
- Re: CVE Request: redis Lua sandbox escape and arbitrary code execution cve-assign (Jun 04)