Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#33621 - [redis] Redis is exposed to the world by default
Attached to Project:
Community Packages
Opened by John Lockman (ultramancool) - Tuesday, 29 January 2013, 01:12 GMT
Last edited by Sergej Pupykin (sergej) - Tuesday, 29 January 2013, 12:55 GMT
Opened by John Lockman (ultramancool) - Tuesday, 29 January 2013, 01:12 GMT
Last edited by Sergej Pupykin (sergej) - Tuesday, 29 January 2013, 12:55 GMT
|
DetailsDescription:
Redis is bound to 0.0.0.0:6379 by default, leaving this exposed to the internet can present a huge security vulnerability and allow external users to manipulate data in redis. It should only be bound to localhost by default or a notice should at least be presented upon installation warning the user about this. Additional info: * package version: community/redis 2.6.8-1 on x86_64 Steps to reproduce: 1) Install redis 2) nmap -p6379 your public interface |
This task depends upon