[v3.2] redis: Lua sandbox escape and arbitrary code execution (CVE-2015-4335)
redis 3.0.2 and 2.8.21 have been released with the following changelog entry:
Upgrade urgency: HIGH for Redis because of a security issue.
LOW for Sentinel.
•[FIX] Critical security issue fix by Ben Murphy: http://t.co/LpGTyZmfS7
The vulnerability is explained in more detail at:
The Lua interpreter allows the user to load insecure bytecode that can be used to bypass the redis Lua sandbox.
The upstream patch fixing this is:
(from redmine: issue id 4286, created on 2015-06-10, closed on 2015-06-11)
- parent #4283 (closed)
- Revision 95eec318 by Natanael Copa on 2015-06-11T09:36:31Z:
main/redis: security upgrade to 3.0.2 (CVE-2015-4335) fixes #4286