http://bugzilla.suse.com/show_bug.cgi?id=991250 Bug ID: 991250 Summary: VUL-0: CVE-2013-7458: redis: World readable .rediscli_history Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: astieger@suse.com QA Contact: qa-bugs@suse.de CC: kstreitova@suse.com, lars.vogdt@microfocus.com, michal.hrusecky@opensuse.org, mpluskal@suse.com, mrueckert@suse.com, mseben@gmail.com, nix@opensuse.org, pth@suse.com Found By: Security Response Team Blocker: --- http://seclists.org/oss-sec/2016/q3/189 https://bugs.debian.org/832460 redis-cli stores its history in ~/.rediscli_history, this file is created with permissions 0644. Home folders are world readable as well in debian, so any user can access other users' redis history, including AUTH commands, which include credentials. I've contacted upstream on 2016-05-30 without any reaction at all and discovered this bug was first reported 3 years ago, still unfixed. @RedisLabs keeps referring to their paid support on twitter. Demo: `cat /home/*/.rediscli_history` Upstream report: https://github.com/antirez/redis/issues/3284 https://github.com/antirez/redis/pull/3322 https://github.com/antirez/redis/pull/1418 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7458 http://seclists.org/oss-sec/2016/q3/189 http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7458.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460 -- You are receiving this mail because: You are on the CC list for the bug.