kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/databases/redis
History
fhajny e9104d1786 Update databases/redis to 3.2.4. 
This is a Redis critical release in order to fix a security issue
which is documented clearly here:

6d9f8e2462

Thanks to Cory Duplantis of Cisco Talos for reporting the issue.

IMPACT:
The gist is that using CONFIG SET calls (or by manipulating
redis.conf) an attacker is able to compromise certain fields of
the "server" global structure, including the aof filename pointer,
that could be made pointing to something else. In turn the AOF
name is used in different contexts such as logging, rename(2) and
open(2) syscalls, leading to potential problems.

Please note that since having access to CONFIG SET also means to
be able to change the AOF filename (and many other things)
directly, this issue actual real world impact is quite small, so I
would not panik: if you have CONFIG SET level of access, you can
do more and more easily.

AFFECTED VERSIONS:
- All Redis 3.2.x versions are affected.

OTHER CHANGES IN THIS RELEASE:
- TCP binding bug fixed when only certain addresses were available
  for a given port.
- A much better crash report that includes part of the Redis binary:
  this will allow to fix bugs even when we just have a crash log and
  no other help from the original poster oft the issue.
- A fix for Redis Cluster redis-trib displaying of info after
  creating a new cluster.
2016-09-26 13:35:42 +00:00
..
files Remove the stability entity, it has no meaning outside of an official context. 2016-06-08 10:16:50 +00:00
patches Update databases/redis to 3.2.1. 2016-06-19 21:28:58 +00:00
DESCR
distinfo Update databases/redis to 3.2.4. 2016-09-26 13:35:42 +00:00
Makefile Update databases/redis to 3.2.4. 2016-09-26 13:35:42 +00:00
PLIST Update databases/redis to 3.2.3. 2016-08-09 09:11:53 +00:00