6 comments

[ 3.1 ms ] story [ 23.5 ms ] thread
Note that this requires an authenticated user, so most redis installations are not directly at risk.

The github issue has these workarounds: > An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

I guess most people doesn't use the lua engine, so this is probably a good advice to disable even if upgrading to a non-vuln version of Redis.

This was here already earlier today:

https://news.ycombinator.com/item?id=45497027

Also: "As part of an ongoing effort by Redis and the Redis community to maintain Redis’ safety, security, and compliance posture, a security vulnerability in Redis has been identified and remediated in the versions indicated below." seems to be a bit strange given that this wasn't an effort led by Redis?

And this is why we need memory safety languages.