Your message dated Sat, 06 Aug 2016 21:37:55 +0000 with message-id <e1bw9i3-0004hn...@franck.debian.org> and subject line Bug#832460: fixed in redis 2:2.8.17-1+deb8u4 has caused the Debian Bug report #832460, regarding redis: CVE-2013-7458: world-readable .rediscli_history file to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 832460: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: redis-tools Version: 2.8.17-1+deb8u3 Severity: grave Tags: security redis-cli stores its history in ~/.rediscli_history, this file is created with permissions 0644. Home folders are world readable as well in debian, so any user can access other users redis history, including AUTH commands, which include credentials. I've contacted upstream on 2016-05-30 without any reaction at all and discovered this bug was first reported 3 years ago, still unfixed. @RedisLabs keeps referring to their paid support on twitter. Demo: `cat /home/*/.rediscli_history`
--- End Message ---
--- Begin Message ---Source: redis Source-Version: 2:2.8.17-1+deb8u4 We believe that the bug you reported is fixed in the latest version of redis, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 832...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated redis package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 28 Jul 2016 08:53:56 -0400 Source: redis Binary: redis-server redis-tools Architecture: source Version: 2:2.8.17-1+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Chris Lamb <la...@debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: redis-server - Persistent key-value database with network interface redis-tools - Persistent key-value database with network interface (client) Closes: 832460 Changes: redis (2:2.8.17-1+deb8u4) jessie-security; urgency=high . * Avoid world_readable ~/.rediscli_history files. Thanks to kpcyrd <kpc...@rxv.cc>. (Closes: #832460) Checksums-Sha1: be29f3f9b97e40b28105be2f8db4fbaade5d2301 1910 redis_2.8.17-1+deb8u4.dsc e3a49a3d92394e9fced7d9e092663d6b8fcd08a6 23404 redis_2.8.17-1+deb8u4.debian.tar.xz Checksums-Sha256: a0b253a02cc8a32ff1db46152d5d943eb03512a3e4ff066819716c44454a434f 1910 redis_2.8.17-1+deb8u4.dsc 01bcb8231f7d8a681b05dab20e13c5ae572b25c373057466993078a66191ae43 23404 redis_2.8.17-1+deb8u4.debian.tar.xz Files: d842da9bfe7093577de8394787eaf5f2 1910 database optional redis_2.8.17-1+deb8u4.dsc 9ff297757ad0a13cfd7c13915a3a623a 23404 database optional redis_2.8.17-1+deb8u4.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXmgFBAAoJEB6VPifUMR5Y+X0QAJSvG0r3Wl4/kKYtgVcK5lnO C4cEw8lJ3VFvJ2HF2oQKLDy2ivWQKPYl4YJ9TVZoDdNJ+peWkDA9ZFkmpPlZSAeY baGoela+301Trfe5XeQBMzm306uM/94jXi/RR6TmOErBGZgWtT2H49DvCZwSPmw4 bpSsYWE7kQ426ACYflFAbLtJ8lzTlF6L3WLCdpumfdDMJfHlElvY7RQgPfuDXgYz K1LJy5Qy9sDTf/mEiaiG82b87lb9UnKeRRBgs3LQei5CwP0QR7r5t1m7um+V4gsQ 4uqVbu47QP3+MP3bggackVo2XUeo7pzj3lO0nbCojCEMg0aPxSG1es274gcoS8lw fJOTJQGoO3ldp0XTlJZPCmJR5rds0GAzlna0OUeO/jpwd/18Y1FDKg4bA4i7bAuL +veU9AMye6mE8evU2ww3W9bz1fDwz9/Fumolx+QhYs6rL/ASUf3qSc3aICDfzbh4 fc9gIasTm/q7q3cjMhKatqidWQe4OU/fLb2TMxH8HIfZ21rAImzbT1TipAyyupW7 vlZlfjpQp2t9iHxm1gCJkI1Rb5DqRkFUhOx9yDyrvUgrFSuB0BaBiwyNyC4RvDhr +tgZVKCoN5+FkweLUXK77PXpec5trvJlIhz+eUeKaPQvUVCMNG4BBowutoWs75Up mMTpCu7EjLmSx+gQyajY =EzG0 -----END PGP SIGNATURE-----
--- End Message ---
