The Apple Security Team, together with Alibaba and myself, identified several security issues in the Lua script engine. The full report is here:

http://antirez.com/news/119

Fixed releases are already available for Redis 3.2, 4.0 and 5.0.

Comment From: carlwgeorge

Did you mean http://antirez.com/news/119? Also, are there any relevant CVE identifiers assigned for this?

Comment From: antirez

Thanks @carlwgeorge, link fixed. No CVE, AFAIK CERT is going to notify directly Redis providers, which I already did btw.

Comment From: lamby

notify directly Redis providers, which I already did btw.

Could I, as the @Debian maintainer, be added to such a list? Read about this first in my RSS reader :)

Comment From: antirez

@lamby sure, adding you. Of course you'll not be able to patch in advance like the cloud providers, but I guess it will be possible to have the package released immediately after the announcement of the vulnerabilities. Thanks.

Comment From: antirez

The following are the CVE-IDs:

CVE-2018-11218 CVE-2018-11219

Comment From: lamby

you'll not be able to patch in advance like the cloud providers

Nod. Would certainly not release early but am well-used to handling embargoed patches/vulnerabilities. :)

Comment From: carlwgeorge

I package redis for the IUS repository. I would like to be added as well. Same as @lamby, any advance notice would be appreciated so that I can get the RPMs out as soon after the announcement as possible.

I would also suggest looping in @natoscott, who is the package maintainer for Fedora and EPEL. Hey @natoscott, by chance do you know if redis is part of any of the Red Hat layered products/repos?

Comment From: natoscott

@antirez @carlwgeorge @lamby yes I would certainly appreciate some notice, and yes Redis is part of multiple Red Hat products (I work for Red Hat, and am also well used to embargo procedures - please do consider notifying me as well, I'd really appreciate it - yesterday was a bit of a mad scramble).

Comment From: antirez

@lamby @carlwgeorge @natoscott sure, please could you send me your email address at antirez/gmail?

Comment From: xiaoaoqiankun

以下是 CVE-ID:

CVE-2018-11218 CVE-2018-11219

能不能帮忙把这个漏洞的补丁发给我,谢谢