EVAL Lua Sandbox Escape (CVE-2015-4335 / DSA-3279)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
redis (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
New
|
Medium
|
Unassigned |
Bug Description
This is a vulnerability that has been fixed upstream in v2.8.21 and v3.0.2, but Trusty is still shipping 2.8.4-2 with no mention of this bug being fixed in the changelog.
The vuln was announced at http://
Sorry if this isn't the right place to report this, I couldn't really find a better way to report it.
I doubt you really need this additional information considering there is a CVE and DSAreleased for this and its already been fixed upstream, but just so I don't get auto-filtered..
$ lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
$ apt-cache policy redis-server
redis-server:
Installed: 2:2.8.4-2
Candidate: 2:2.8.4-2
Version table:
*** 2:2.8.4-2 0
500 http://
100 /var/lib/
what I expected to happen: run apt-get update && apt-get upgrade, no longer be vulnerable to a sandbox escape exploit
what happened instead: updated package is nowhere to be found.
CVE References
Changed in redis (Ubuntu): | |
importance: | Undecided → Medium |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res