diff options
author | antirez <antirez@gmail.com> | 2016-09-26 09:18:59 +0200 |
---|---|---|
committer | antirez <antirez@gmail.com> | 2016-09-26 09:18:59 +0200 |
commit | 381651fac05728f742631ee9eac03c8a8855733b (patch) | |
tree | f3d43f023a01d3782739f16e818aba9c97e3ef0d | |
parent | 070d04717909e25254334f55760e972c6f8d02e3 (diff) | |
download | redis-381651fac05728f742631ee9eac03c8a8855733b.tar.gz |
3.2.4 release notes clarifications.
-rw-r--r-- | 00-RELEASENOTES | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/00-RELEASENOTES b/00-RELEASENOTES index a8723e50b..f9e8a33c2 100644 --- a/00-RELEASENOTES +++ b/00-RELEASENOTES @@ -26,14 +26,25 @@ which is documented clearly here: Thanks to Cory Duplantis of Cisco Talos for reporting the issue. +IMPACT: + The gist is that using CONFIG SET calls (or by manipulating redis.conf) an attacker is able to compromise certain fields of the "server" global structure, including the aof filename pointer, that could be made pointing to something else. In turn the AOF name is used in different contexts such as logging, rename(2) and open(2) syscalls, leading to potential problems. +Please note that since having access to CONFIG SET also means to be able +to change the AOF filename (and many other things) directly, this issue +actual real world impact is quite small, so I would not panik: if you +have CONFIG SET level of access, you can do more and more easily. + +AFFECTED VERSIONS: + All Redis 3.2.x versions are affected. +OTHER CHANGES IN THIS RELEASE: + This release also includes other things: * TCP binding bug fixed when only certain addresses were available for |