Source: redis Version: 5:7.0.13-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for redis. CVE-2023-45145[0]: | Redis is an in-memory database that persists on disk. On startup, | Redis begins listening on a Unix socket before adjusting its | permissions to the user-provided configuration. If a permissive | umask(2) is used, this creates a race condition that enables, during | a short period of time, another process to establish an otherwise | unauthorized connection. This problem has existed since Redis | 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, | 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to | upgrade, it is possible to work around the problem by disabling Unix | sockets, starting Redis with a restrictive umask, or storing the | Unix socket file in a protected directory. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45145 https://www.cve.org/CVERecord?id=CVE-2023-45145 [1] https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx [2] https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc Please adjust the affected versions in the BTS as needed. Regards, Salvatore