redis: fix CVE-2023-45145 - linux/meta-openembedded.git - Mirror of git.openembedded.org/meta-openembedded

diff options

author	Divya Chellam <divya.chellam@windriver.com>	2025-01-31 12:50:57 +0000
committer	Armin Kuster <akuster808@gmail.com>	2025-02-09 07:55:09 -0800
commit	19592ce1c4d9883645e5c4866a2a94cfcd332d03 (patch)
tree	ede4d1c39b9248dc5dff7f48a82473ffcc278168 /meta-python/recipes-devtools/python/python-numeric
parent	6bd4846b0bb266618b02be650c6cdd4b2a4f6b7b (diff)
download	meta-openembedded-19592ce1c4d9883645e5c4866a2a94cfcd332d03.tar.gz

redis: fix CVE-2023-45145

Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory. Reference: https://security-tracker.debian.org/tracker/CVE-2023-45145 Upstream-patch: https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>

Diffstat (limited to 'meta-python/recipes-devtools/python/python-numeric')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: