Hi Salvatore, On Wed, Nov 02, 2016 at 08:53:40PM +0100, Salvatore Bonaccorso wrote: > Source: redis > Version: 2:2.8.17-1 > Severity: important > Tags: security > > Hi > > See > > https://bugzilla.redhat.com/show_bug.cgi?id=1390588 > and > https://bugzilla.redhat.com/show_bug.cgi?id=1374700 > > This partially seems to hold as well for Debian, at least for the > /var/lib/redis part for unstable. For jessie it looks e.g. > /etc/resis/redis.conf and otherwould be world-readable as well.
I just checked wheezy * /etc/redis/redis.conf: while it is world readable it does not contain a password by default. It would be better to have sane permissions by default on that file but we don't leak anything until somebody sets a password. * /var/lib/redis: the directory is world readable but files in it are not: rw-rw---- 1 redis redis 80100 Nov 3 08:56 /var/lib/redis/dump.rdb so they're protected by umask. Again I think it would be better to have tighter permissions but nothing is leaked by default (assuming this holds for all files created by redis in that dir). So I decided to mark this no-dsa in wheezy. Please let me know if you guys don't think that's appropriate. Cheers, -- Guido