Matthew Hall reported that Redis, an advanced key-value store similar to memcached, insecurely created a temporary file. A local attacker could use this flaw to perform a symbolic link attack and possibly overwrite or delete an arbitrary file. References: https://github.com/antirez/redis/issues/1560
The CVE will probably be posted to https://github.com/antirez/redis/issues/1560 once assigned
Created redis tracking bugs for this issue: Affects: fedora-all [bug 1069035] Affects: epel-all [bug 1069036]
(In reply to Murray McAllister from comment #1) > The CVE will probably be posted to > https://github.com/antirez/redis/issues/1560 once assigned CVE request: http://seclists.org/oss-sec/2014/q1/423
Seems like this may be expected behavior: http://seclists.org/oss-sec/2014/q1/425
@Murray: could we close this ticket or should we fix that issue no matter what ?
Hello, The issue was rated Low so it is not urgent to fix. If you are able to fix it in just rawhide, then the ticket could be closed. However, if you cannot get a fix from upstream or are having problems there, the bug could be closed WONTFIX.
Thanks, I'll do as you suggest.