New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redis Lua scripting: multiple security issues #5017

Closed
antirez opened this Issue Jun 13, 2018 · 9 comments

Comments

Projects
None yet
4 participants
@antirez
Owner

antirez commented Jun 13, 2018

The Apple Security Team, together with Alibaba and myself, identified several security issues in the Lua script engine. The full report is here:

http://antirez.com/news/119

Fixed releases are already available for Redis 3.2, 4.0 and 5.0.

@antirez antirez closed this Jun 13, 2018

@antirez antirez changed the title from Placeholder to Redis Lua scripting: multiple security issues Jun 13, 2018

@carlwgeorge

This comment has been minimized.

carlwgeorge commented Jun 13, 2018

Did you mean http://antirez.com/news/119? Also, are there any relevant CVE identifiers assigned for this?

@antirez

This comment has been minimized.

Owner

antirez commented Jun 13, 2018

Thanks @carlwgeorge, link fixed. No CVE, AFAIK CERT is going to notify directly Redis providers, which I already did btw.

@lamby

This comment has been minimized.

Contributor

lamby commented Jun 14, 2018

notify directly Redis providers, which I already did btw.

Could I, as the @Debian maintainer, be added to such a list? Read about this first in my RSS reader :)

@antirez

This comment has been minimized.

Owner

antirez commented Jun 14, 2018

@lamby sure, adding you. Of course you'll not be able to patch in advance like the cloud providers, but I guess it will be possible to have the package released immediately after the announcement of the vulnerabilities. Thanks.

@antirez

This comment has been minimized.

Owner

antirez commented Jun 14, 2018

The following are the CVE-IDs:

CVE-2018-11218
CVE-2018-11219

@lamby

This comment has been minimized.

Contributor

lamby commented Jun 14, 2018

you'll not be able to patch in advance like the cloud providers

Nod. Would certainly not release early but am well-used to handling embargoed patches/vulnerabilities. :)

@carlwgeorge

This comment has been minimized.

carlwgeorge commented Jun 14, 2018

I package redis for the IUS repository. I would like to be added as well. Same as @lamby, any advance notice would be appreciated so that I can get the RPMs out as soon after the announcement as possible.

I would also suggest looping in @natoscott, who is the package maintainer for Fedora and EPEL. Hey @natoscott, by chance do you know if redis is part of any of the Red Hat layered products/repos?

@natoscott

This comment has been minimized.

natoscott commented Jun 14, 2018

@antirez @carlwgeorge @lamby yes I would certainly appreciate some notice, and yes Redis is part of multiple Red Hat products (I work for Red Hat, and am also well used to embargo procedures - please do consider notifying me as well, I'd really appreciate it - yesterday was a bit of a mad scramble).

@antirez

This comment has been minimized.

Owner

antirez commented Jun 14, 2018

@lamby @carlwgeorge @natoscott sure, please could you send me your email address at antirez/gmail?

uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Jun 19, 2018

osa
Upgrade from 4.0.9 to 4.0.10.
Update CONFLICTS.

<ChangeLog>

Redis 4.0.10 fixes a number of important issues:

* Important security issues related to the Lua scripting engine.
  Please check antirez/redis#5017
  for more information.

* A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements.
  We also add a regression test that can trigger the issue often when present, and
  may in theory be able to find unrelated regressions.

* A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files
  because otherwise it is no longer possible to use such RDB file as a base
  for partial resynchronization. It no longer represents the right state.

* Compatibility of AOF with RDB preamble when the RDB checksum is disabled.

* Sentinel bug that in some cases prevented Sentinel to detect that the master
  was down immediately. A delay was added to the detection.

* Other minor issues.

</ChangeLog>


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@472828 35697150-7ecd-e111-bb59-0022644237b5

uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Jun 19, 2018

Upgrade from 4.0.9 to 4.0.10.
Update CONFLICTS.

<ChangeLog>

Redis 4.0.10 fixes a number of important issues:

* Important security issues related to the Lua scripting engine.
  Please check antirez/redis#5017
  for more information.

* A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements.
  We also add a regression test that can trigger the issue often when present, and
  may in theory be able to find unrelated regressions.

* A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files
  because otherwise it is no longer possible to use such RDB file as a base
  for partial resynchronization. It no longer represents the right state.

* Compatibility of AOF with RDB preamble when the RDB checksum is disabled.

* Sentinel bug that in some cases prevented Sentinel to detect that the master
  was down immediately. A delay was added to the detection.

* Other minor issues.

</ChangeLog>

Jehops pushed a commit to Jehops/freebsd-ports that referenced this issue Jun 20, 2018

Upgrade from 4.0.9 to 4.0.10.
Update CONFLICTS.

<ChangeLog>

Redis 4.0.10 fixes a number of important issues:

* Important security issues related to the Lua scripting engine.
  Please check antirez/redis#5017
  for more information.

* A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements.
  We also add a regression test that can trigger the issue often when present, and
  may in theory be able to find unrelated regressions.

* A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files
  because otherwise it is no longer possible to use such RDB file as a base
  for partial resynchronization. It no longer represents the right state.

* Compatibility of AOF with RDB preamble when the RDB checksum is disabled.

* Sentinel bug that in some cases prevented Sentinel to detect that the master
  was down immediately. A delay was added to the detection.

* Other minor issues.

</ChangeLog>


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@472828 35697150-7ecd-e111-bb59-0022644237b5

swills pushed a commit to swills/freebsd-ports that referenced this issue Jun 20, 2018

Upgrade from 4.0.9 to 4.0.10.
Update CONFLICTS.

<ChangeLog>

Redis 4.0.10 fixes a number of important issues:

* Important security issues related to the Lua scripting engine.
  Please check antirez/redis#5017
  for more information.

* A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements.
  We also add a regression test that can trigger the issue often when present, and
  may in theory be able to find unrelated regressions.

* A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files
  because otherwise it is no longer possible to use such RDB file as a base
  for partial resynchronization. It no longer represents the right state.

* Compatibility of AOF with RDB preamble when the RDB checksum is disabled.

* Sentinel bug that in some cases prevented Sentinel to detect that the master
  was down immediately. A delay was added to the detection.

* Other minor issues.

</ChangeLog>


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@472828 35697150-7ecd-e111-bb59-0022644237b5

mat813 pushed a commit to mat813/freebsd-ports that referenced this issue Jun 20, 2018

osa
Upgrade from 4.0.9 to 4.0.10.
Update CONFLICTS.

<ChangeLog>

Redis 4.0.10 fixes a number of important issues:

* Important security issues related to the Lua scripting engine.
  Please check antirez/redis#5017
  for more information.

* A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements.
  We also add a regression test that can trigger the issue often when present, and
  may in theory be able to find unrelated regressions.

* A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files
  because otherwise it is no longer possible to use such RDB file as a base
  for partial resynchronization. It no longer represents the right state.

* Compatibility of AOF with RDB preamble when the RDB checksum is disabled.

* Sentinel bug that in some cases prevented Sentinel to detect that the master
  was down immediately. A delay was added to the detection.

* Other minor issues.

</ChangeLog>


git-svn-id: https://svn.freebsd.org/ports/head@472828 35697150-7ecd-e111-bb59-0022644237b5

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Aug 2, 2018

adam
redis: updated to 4.0.10
Redis 4.0.10 fixes a number of important issues:

* Important security issues related to the Lua scripting engine.
  Please check antirez/redis#5017
  for more information.

* A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements.
  We also add a regression test that can trigger the issue often when present, and
  may in theory be able to find unrelated regressions.

* A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files
  because otherwise it is no longer possible to use such RDB file as a base
  for partial resynchronization. It no longer represents the right state.

* Compatibility of AOF with RDB preamble when the RDB checksum is disabled.

* Sentinel bug that in some cases prevented Sentinel to detect that the master
  was down immediately. A delay was added to the detection.

* Other minor issues.

@wodev wodev referenced this issue Aug 17, 2018

Merged

redis 4.0.11 #230

mamash pushed a commit to joyent/pkgsrc that referenced this issue Sep 12, 2018

adam Filip Hajny
redis: updated to 4.0.10
Redis 4.0.10 fixes a number of important issues:

* Important security issues related to the Lua scripting engine.
  Please check antirez/redis#5017
  for more information.

* A bug with SCAN, SSCAN, HSCAN and ZSCAN, that may not return all the elements.
  We also add a regression test that can trigger the issue often when present, and
  may in theory be able to find unrelated regressions.

* A PSYNC2 bug is fixed: Redis should not expire keys when saving RDB files
  because otherwise it is no longer possible to use such RDB file as a base
  for partial resynchronization. It no longer represents the right state.

* Compatibility of AOF with RDB preamble when the RDB checksum is disabled.

* Sentinel bug that in some cases prevented Sentinel to detect that the master
  was down immediately. A delay was added to the detection.

* Other minor issues.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment