934048 – (CVE-2015-4335) VUL-0: CVE-2015-4335: redis: Lua sandbox escape and arbitrary code execution

Bug 934048 (CVE-2015-4335) - VUL-0: CVE-2015-4335: redis: Lua sandbox escape and arbitrary code execution

Summary: VUL-0: CVE-2015-4335: redis: Lua sandbox escape and arbitrary code execution

Status:	RESOLVED FIXED

Alias:	CVE-2015-4335

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.1

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/117349/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-06-09 07:57 UTC by Marcus Meissner
Modified:	2016-03-21 16:15 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2015-06-09 07:57:04 UTC

http://seclists.org/oss-sec/2015/q2/646

opensuse only

            redis 3.0.2 and 2.8.21 have been released


            https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ
            http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
            https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411


        is the essence of the request that
        the Redis upstream vendor believes that loading Lua bytecode was, by
        itself, inherently an implementation mistake in Redis, and is now
        fixed by the
        https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411
        change?


    Yes, that was the idea.


Use CVE-2015-4335.

Comment 1 Swamp Workflow Management 2015-06-09 22:00:32 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2015-09-04 15:38:59 UTC

darix, do we need to fix it for 13.1 and 13.2?

can you perhaps set yourself as opensuse maintainer too?

Comment 3 Marcus Rückert 2015-09-24 16:31:03 UTC

submitted

Comment 4 Bernhard Wiedemann 2015-09-24 17:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (934048) was mentioned in
https://build.opensuse.org/request/show/333495 13.2+13.1 / redis

Comment 5 Swamp Workflow Management 2015-10-06 07:11:30 UTC

openSUSE-SU-2015:1687-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 934048
CVE References: CVE-2015-4335
Sources used:
openSUSE 13.2 (src):    redis-2.8.22-2.6.1, sssd-1.12.2-3.11.1
openSUSE 13.1 (src):    redis-2.8.22-3.6.1

Comment 6 Victor Pereira 2016-03-21 16:15:33 UTC

fixed and released.