Bug 7175 - [Anolis OS 23] Bugfix for CVE-2023-45145
Summary: [Anolis OS 23] Bugfix for CVE-2023-45145
Status: RESOLVED FIXED
Alias: None
Product: Anolis OS 23
Classification: Anolis OS
Component: BaseOS Packages (show other bugs) BaseOS Packages
Version: unspecified
Hardware: All Linux
: P4-Low S4-trivial
Target Milestone: ---
Assignee: happy_orange
QA Contact: bolong_tbl
URL:
Whiteboard:
Keywords: CVE
Depends on:
Blocks:
 
Reported: 2023-11-07 19:09 UTC by 小龙
Modified: 2023-11-07 19:09 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 小龙 admin 2023-11-07 19:09:00 UTC 
Description:
Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.

Broken commit info:

Bugfix commit info:
https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1" target="_blank" rel="noopener noreferrer
https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1
https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc