Your message dated Thu, 28 Jul 2016 12:48:47 +0000 with message-id <e1bskk3-0007jw...@franck.debian.org> and subject line Bug#832460: fixed in redis 2:3.2.1-4 has caused the Debian Bug report #832460, regarding World readable .rediscli_history to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 832460: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: redis-tools Version: 2.8.17-1+deb8u3 Severity: grave Tags: security redis-cli stores its history in ~/.rediscli_history, this file is created with permissions 0644. Home folders are world readable as well in debian, so any user can access other users redis history, including AUTH commands, which include credentials. I've contacted upstream on 2016-05-30 without any reaction at all and discovered this bug was first reported 3 years ago, still unfixed. @RedisLabs keeps referring to their paid support on twitter. Demo: `cat /home/*/.rediscli_history`
--- End Message ---
--- Begin Message ---Source: redis Source-Version: 2:3.2.1-4 We believe that the bug you reported is fixed in the latest version of redis, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 832...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated redis package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 28 Jul 2016 08:35:50 -0400 Source: redis Binary: redis-server redis-tools redis-sentinel Architecture: source Version: 2:3.2.1-4 Distribution: unstable Urgency: high Maintainer: Chris Lamb <la...@debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: redis-sentinel - Persistent key-value database with network interface (monitoring) redis-server - Persistent key-value database with network interface redis-tools - Persistent key-value database with network interface (client) Closes: 832460 Changes: redis (2:3.2.1-4) unstable; urgency=high . * Avoid race condition by setting and resetting umask(2) when writing to ~/.rediscli_history. (Closes: #832460) * Skip replication tests with timing issues. Checksums-Sha1: f328c435ea1f62a00d8130ee654143a1ae50d93a 1971 redis_3.2.1-4.dsc 50ac4d394e755d81834a7e9343eff056a85efa89 33964 redis_3.2.1-4.debian.tar.xz Checksums-Sha256: 9bf899daa3c96a0666057b8c64a7b31d97510193756a478ae21559778f620dbb 1971 redis_3.2.1-4.dsc fcb60f441491355bf8b2e79d28141b2757b98a085198d75c48086d8e97699941 33964 redis_3.2.1-4.debian.tar.xz Files: d103749dd94ac86a358ae94cae7065e7 1971 database optional redis_3.2.1-4.dsc cfb4afddaa151a5dde17c6a7878587d5 33964 database optional redis_3.2.1-4.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXmfxZAAoJEB6VPifUMR5YYpwP/0tB0+OTxxIsOf2SA7gYrzmk uDHFEyyh0izXu1TFwQR9Ihv7q7Tqb8jQzIYDfDAnB/u9bci6JLJcVxER/GYDhZXK qFxTIwyJC/5OMAJHypaeasQib+tuwvtWwl8CHPb9qoHUCApNw5yvAUdwQqHmwRNR ju0eKcTXaEbaXL2WZ6kznmI0wqPCDSL8uotKbofvx/Ty5amjbLSsXltNae1IfYOp /RlAwI4yyYBXflM+Gon1l02Qg4n8uHmgAz1+CUuGE4noA6BOBIjAxDIRbor+vkWx uy4bvYmogajRdFbQxIdZ0a5Rw3yb4/xb9QvSBssth5rjSwQoQ6ogJS4mMZRsbGmh obGvYwRUqB/xD5VZN5kCT/hGKU01zz5UblaihS106RegOqfLZBhsCV26itn4wA+l Xjk5pWOiylRtxSpqkYHPrOIT5CJhe5pWgPeIeVc94dJyshw/RVSTG2LITg0W0IAm omf2E7YMioPRTX7wqiZ4+HRujaqY8zNsb7ms3ARFBXm5tKHoMwKUi4P1XrqYFFA8 gSwVY/svsYGfULNm8HCMLIqbpW3sxCsKZZ8uxawRK6VSz0KJn0OawXuOiJS3AEZ9 sRlEVa0moRM0wg2WUei/CbmVg/84NHn9Vt9qlwzVeHnX5vCbt4azmDMRwosYODyg EvDxIVG/oJB1PaYWZNAu =HtaL -----END PGP SIGNATURE-----
--- End Message ---
