Also: "As part of an ongoing effort by Redis and the Redis community to maintain Redis’ safety, security, and compliance posture, a security vulnerability in Redis has been identified and remediated in the versions indicated below." seems to be a bit strange given that this wasn't an effort led by Redis?
Note that this requires an authenticated user, so most redis installations are not directly at risk.
The github issue has these workarounds:
> An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
I guess most people doesn't use the lua engine, so this is probably a good advice to disable even if upgrading to a non-vuln version of Redis.
I’d imagine recent uptick in using services like Upstash may make it harder for people to know if they are vulnerable or not. Is this mitigated by disabling Lua script execution?
it used to possible to execute redis commands against localhost from the web browser using domain rebinding. but i think redis did something to the protocol to fix this. also, this is only really relevant for developers.
https://news.ycombinator.com/item?id=45497027
Also: "As part of an ongoing effort by Redis and the Redis community to maintain Redis’ safety, security, and compliance posture, a security vulnerability in Redis has been identified and remediated in the versions indicated below." seems to be a bit strange given that this wasn't an effort led by Redis?