Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150604215609.811EC42E102@smtpvbsrv1.mitre.org>
Date: Thu,  4 Jun 2015 17:56:09 -0400 (EDT)
From: cve-assign@...re.org
To: alessandro@...dini.me
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: redis Lua sandbox escape and arbitrary code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> redis 3.0.2 and 2.8.21 have been released

> https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ
> http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
> https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411

The Ben Murphy advisory has a long discussion of many software and
deployment issues. Do you have a specific viewpoint about what the CVE
ID should be for? In particular, is the essence of the request that
the Redis upstream vendor believes that loading Lua bytecode was, by
itself, inherently an implementation mistake in Redis, and is now
fixed by the
https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411
change?

By way of background: we have previously tried to gather information
for assigning CVE IDs to the underlying bytecode security concerns in
Lua (see the http://openwall.com/lists/oss-security/2014/08/27/2
post), but this was unsuccessful. If the currently needed CVE ID should
be only about Redis, as mentioned in the above paragraph, then we will
not be revisiting those Lua issues now.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVcMkAAAoJEKllVAevmvmshgoH/0d6gd3qhLrK615YkgfLRCnU
bAuBrbBRf3aCO4qQWfdvdluSDb4pf8Uc2ECC9c1eHJfqRNIvkWgq+9MYWV0S1Jgz
O1WjYgJ5QbamqgECPUluj3yrZdefLwIVNxKRjfzIa5uZS/e4zbWyYcWPEuXsU6YD
7PiFDRx0S6k1OUpw1/051uV9p/Q06PZcPKtQq4qIH2gjcZO1MQn/C8T0y+tNVNKq
iUyG84esvBK04AjakUNppHSYTiBcW7dGEWhwd7cvdvXWnF+g3s/PBZNve3B5czIZ
klk0DqXHtTaYvSF4ERY2cjMKU3GBJWq4dQ2kkfXBDjm28oqG2Nit8APETMWpNHU=
=J2bY
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.