3.2.4 release notes clarifications.

author: antirez <antirez@gmail.com> 2016-09-26 09:18:59 +0200
committer: antirez <antirez@gmail.com> 2016-09-26 09:18:59 +0200
commit: 381651fac05728f742631ee9eac03c8a8855733b (patch)
tree: f3d43f023a01d3782739f16e818aba9c97e3ef0d
parent: 070d04717909e25254334f55760e972c6f8d02e3 (diff)
download: redis-381651fac05728f742631ee9eac03c8a8855733b.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/00-RELEASENOTES b/00-RELEASENOTES
index a8723e50b..f9e8a33c2 100644
--- a/00-RELEASENOTES
+++ b/00-RELEASENOTES
@@ -26,14 +26,25 @@ which is documented clearly here:
 
 Thanks to Cory Duplantis of Cisco Talos for reporting the issue.
 
+IMPACT:
+
 The gist is that using CONFIG SET calls (or by manipulating redis.conf)
 an attacker is able to compromise certain fields of the "server" global
 structure, including the aof filename pointer, that could be made pointing
 to something else. In turn the AOF name is used in different contexts such
 as logging, rename(2) and open(2) syscalls, leading to potential problems.
 
+Please note that since having access to CONFIG SET also means to be able
+to change the AOF filename (and many other things) directly, this issue
+actual real world impact is quite small, so I would not panik: if you
+have CONFIG SET level of access, you can do more and more easily.
+
+AFFECTED VERSIONS:
+
 All Redis 3.2.x versions are affected.
 
+OTHER CHANGES IN THIS RELEASE:
+
 This release also includes other things:
 
 * TCP binding bug fixed when only certain addresses were available for
author	antirez <antirez@gmail.com>	2016-09-26 09:18:59 +0200
committer	antirez <antirez@gmail.com>	2016-09-26 09:18:59 +0200
commit	381651fac05728f742631ee9eac03c8a8855733b (patch)
tree	f3d43f023a01d3782739f16e818aba9c97e3ef0d
parent	070d04717909e25254334f55760e972c6f8d02e3 (diff)
download	redis-381651fac05728f742631ee9eac03c8a8855733b.tar.gz