Hello community, here is the log from the commit of package redis for openSUSE:Factory checked in at 2016-08-05 18:16:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/redis (Old) and /work/SRC/openSUSE:Factory/.redis.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "redis" Changes: -------- --- /work/SRC/openSUSE:Factory/redis/redis.changes 2016-07-05 09:51:33.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.redis.new/redis.changes 2016-08-05 18:16:19.000000000 +0200 @@ -1,0 +2,26 @@ +Sat Jul 30 12:30:02 UTC 2016 - jeng...@inai.de + +- Test for user/group existence before creating them. + Request shadow to be present for the scriptlet. + +------------------------------------------------------------------- +Sat Jul 30 10:06:22 UTC 2016 - astie...@suse.com + +- Fix CVE-2013-7458: unsafe permissions of command line history + boo#991250, adding CVE-2013-7458.patch + +------------------------------------------------------------------- +Sat Jul 30 09:59:59 UTC 2016 - astie...@suse.com + +- redis 3.2.2 +- Highlight bug fixes: + * Fix Redis server and Sentinel crashes + * Fix GEORADIUS errors in reported entries +- New features: + * slaves support the slave-announce-ip and slave-announce-port + options. + * RDB check utlity is now part of Redis and uses the same RDB code + * redis-check-dump utility is now able to show certain information + about the RDB file including creating version and date. + +------------------------------------------------------------------- Old: ---- redis-3.2.1.tar.gz New: ---- CVE-2013-7458.patch redis-3.2.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ redis.spec ++++++ --- /var/tmp/diff_new_pack.I0HEXt/_old 2016-08-05 18:16:21.000000000 +0200 +++ /var/tmp/diff_new_pack.I0HEXt/_new 2016-08-05 18:16:21.000000000 +0200 @@ -25,7 +25,7 @@ %bcond_with systemd %endif Name: redis -Version: 3.2.1 +Version: 3.2.2 Release: 0 Summary: Persistent key-value database License: BSD-3-Clause @@ -42,9 +42,11 @@ # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch1: %{name}-conf.patch Patch2: redis-enable-bactrace-on-x86-and-ia64-only.patch +Patch3: CVE-2013-7458.patch BuildRequires: pkgconfig BuildRequires: procps BuildRequires: tcl +Requires(pre): shadow Requires: logrotate Requires: sudo BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -69,6 +71,7 @@ %patch0 %patch1 %patch2 +%patch3 -p1 %build make %{?_smp_mflags} CFLAGS="%{optflags}" V=1 @@ -126,8 +129,10 @@ %endif %pre -%{_sbindir}/groupadd -r %{name} >/dev/null 2>&1 || : -%{_sbindir}/useradd -g %{name} -s /bin/false -r -c "User for Redis key-value store" -d %{_data_dir} %{name} >/dev/null 2>&1 || : +getent group %{name} >/dev/null || %{_sbindir}/groupadd -r %{name} || : +getent passwd %{name} >/dev/null || \ + %{_sbindir}/useradd -g %{name} -s /bin/false -r \ + -c "User for Redis key-value store" -d %{_data_dir} %{name} || : %if %{with systemd} %service_add_pre %{name}.target %endif ++++++ CVE-2013-7458.patch ++++++ >From 71536684a788dc859e42132a2c5a2b7373414375 Mon Sep 17 00:00:00 2001 From: antirez <anti...@gmail.com> Date: Fri, 29 Jul 2016 11:28:16 +0200 Subject: [PATCH] Update linenoise to fix insecure redis-cli history file creation. The problem was fixed in antirez/linenoise repository applying a patch contributed by @lamby. Here the new version is updated in the Redis source tree. Close #1418 Close #3322 --- deps/linenoise/linenoise.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/deps/linenoise/linenoise.c b/deps/linenoise/linenoise.c index a807d9b..fce14a7 100644 --- a/deps/linenoise/linenoise.c +++ b/deps/linenoise/linenoise.c @@ -111,6 +111,7 @@ #include <string.h> #include <stdlib.h> #include <ctype.h> +#include <sys/stat.h> #include <sys/types.h> #include <sys/ioctl.h> #include <unistd.h> @@ -1160,10 +1161,14 @@ int linenoiseHistorySetMaxLen(int len) { /* Save the history in the specified file. On success 0 is returned * otherwise -1 is returned. */ int linenoiseHistorySave(const char *filename) { - FILE *fp = fopen(filename,"w"); + mode_t old_umask = umask(S_IXUSR|S_IRWXG|S_IRWXO); + FILE *fp; int j; + fp = fopen(filename,"w"); + umask(old_umask); if (fp == NULL) return -1; + chmod(filename,S_IRUSR|S_IWUSR); for (j = 0; j < history_len; j++) fprintf(fp,"%s\n",history[j]); fclose(fp); -- 2.6.6 ++++++ redis-3.2.1.tar.gz -> redis-3.2.2.tar.gz ++++++ ++++ 2676 lines of diff (skipped)