Hi Salvatore,
On Wed, Nov 02, 2016 at 08:53:40PM +0100, Salvatore Bonaccorso wrote:
> Source: redis
> Version: 2:2.8.17-1
> Severity: important
> Tags: security
>
> Hi
>
> See
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1390588
> and
> https://bugzilla.redhat.com/show_bug.cgi?id=1374700
>
> This partially seems to hold as well for Debian, at least for the
> /var/lib/redis part for unstable. For jessie it looks e.g.
> /etc/resis/redis.conf and otherwould be world-readable as well.
I just checked wheezy
* /etc/redis/redis.conf: while it is world readable it does not contain
a password by default. It would be better to have sane permissions by
default on that file but we don't leak anything until somebody sets a
password.
* /var/lib/redis: the directory is world readable but files in it are not:
rw-rw---- 1 redis redis 80100 Nov 3 08:56 /var/lib/redis/dump.rdb so
they're protected by umask. Again I think it would be better to have
tighter permissions but nothing is leaked by default (assuming this
holds for all files created by redis in that dir).
So I decided to mark this no-dsa in wheezy. Please let me know if you
guys don't think that's appropriate.
Cheers,
-- Guido
