Hi Guido, On Thu, Nov 03, 2016 at 09:05:41AM +0100, Guido Günther wrote: > Hi Salvatore, > On Wed, Nov 02, 2016 at 08:53:40PM +0100, Salvatore Bonaccorso wrote: > > Source: redis > > Version: 2:2.8.17-1 > > Severity: important > > Tags: security > > > > Hi > > > > See > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1390588 > > and > > https://bugzilla.redhat.com/show_bug.cgi?id=1374700 > > > > This partially seems to hold as well for Debian, at least for the > > /var/lib/redis part for unstable. For jessie it looks e.g. > > /etc/resis/redis.conf and otherwould be world-readable as well. > > I just checked wheezy > > * /etc/redis/redis.conf: while it is world readable it does not contain > a password by default. It would be better to have sane permissions by > default on that file but we don't leak anything until somebody sets a > password. > > * /var/lib/redis: the directory is world readable but files in it are not: > rw-rw---- 1 redis redis 80100 Nov 3 08:56 /var/lib/redis/dump.rdb so > they're protected by umask. Again I think it would be better to have > tighter permissions but nothing is leaked by default (assuming this > holds for all files created by redis in that dir). > > So I decided to mark this no-dsa in wheezy. Please let me know if you > guys don't think that's appropriate.
Thanks for the analysis! Agreed, and think we will follow the same for jessie as well. Regards, Salvatore
