Your message dated Wed, 27 Jul 2016 04:23:15 +0000
with message-id <[email protected]>
and subject line Bug#832460: fixed in redis 2:3.2.1-3
has caused the Debian Bug report #832460,
regarding World readable .rediscli_history
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
832460: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: redis-tools
Version: 2.8.17-1+deb8u3
Severity: grave
Tags: security
redis-cli stores its history in ~/.rediscli_history, this file is
created with permissions 0644. Home folders are world readable as well
in debian, so any user can access other users redis history, including
AUTH commands, which include credentials.
I've contacted upstream on 2016-05-30 without any reaction at all and
discovered this bug was first reported 3 years ago, still unfixed.
@RedisLabs keeps referring to their paid support on twitter.
Demo: `cat /home/*/.rediscli_history`
--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 2:3.2.1-3
We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated redis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 26 Jul 2016 23:48:07 -0400
Source: redis
Binary: redis-server redis-tools redis-sentinel
Architecture: source
Version: 2:3.2.1-3
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Description:
redis-sentinel - Persistent key-value database with network interface
(monitoring)
redis-server - Persistent key-value database with network interface
redis-tools - Persistent key-value database with network interface (client)
Closes: 832460
Changes:
redis (2:3.2.1-3) unstable; urgency=medium
.
* Avoid world_readable ~/.rediscli_history files. Thanks to kpcyrd
<[email protected]>. (Closes: #832460)
Checksums-Sha1:
38ada8348e62d96562d72965558e3e3b8dac5f98 1971 redis_3.2.1-3.dsc
5a25dcd04cf073f675667243e29e34f212ff6d45 33740 redis_3.2.1-3.debian.tar.xz
Checksums-Sha256:
a7503fea638391cae9574d569d90aecfb6766830fb3b7381a297c4d9e88ea957 1971
redis_3.2.1-3.dsc
70575b74f4b906963f148de86ac866937cebd17c6e651887d5a1cfacc294479b 33740
redis_3.2.1-3.debian.tar.xz
Files:
d104a8a77e70246326b98415d7d21b32 1971 database optional redis_3.2.1-3.dsc
50a2c63e5c33d39866d82e0dd4d6e490 33740 database optional
redis_3.2.1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXmC+yAAoJEB6VPifUMR5Y/TkP/1WGQQp513NGhs8DAa9c4R0i
EiVW+d3ELdSd7bspteUqc9zUHjDUbk2I9VmU//MG3wl4cWePmFKp4LKWeN2iwASe
lbTOV7mQbaXNiVc1b0CaxWaVDt89a2OyIVWUrEtogSHOTumyaK808/V3dy8EQsy6
8BYf45s1C2vXQa0cCW5QbTTiJSILZFHWyjYgfYMAZnwB8v8w/d3+C8IycpCOFtqA
cNlVE+xuLSOlqAdw4EBXAMNbZa7n2s9ECOz5CRKTShpU53TyFeNyZQo2XyIMQ7Y3
sCEXUTgz1MmdMXP4yNqvpH7sULkUq1HEdDVd6bB5GsbsYzgFHRnIMc6fGh+hqQ+u
aOwXwmUTZsBiFTTB7R0jJQGLRgpGwlSkxsLqQRzU6klvWPld3ECyxjkgWZdUYNgs
imKIhClTbDLcjBNwiYtxGE4xiPzm8dMPL9qqovG5miTj4AndMcKINkyQgfGBGjfg
msl9qlQ+GiQA+zIn6gyhVgJIYcXYgNxUkCWhxBhhyUTBV7Yec6t+YoyPGioc73V0
T0lvXCqx42Y7SULhZ2YealQfrRW3xFIBCzLRd6uLg4ltqCeNiN8OIUOYWxlqGO8U
SpXSih7UbLPjKJdLHQ0JFJRAW/ZRBTRrgc8zE59Hi9OhDCxVZCDcH5szh4P/gN1K
CRAULkCk5t9xBZ6fiiAf
=yMFp
-----END PGP SIGNATURE-----
--- End Message ---
