CVE Request: redis: World readable .rediscli_history

[Salvatore Bonaccorso <carnil () debian org>]

Hi

> From the Debian bug report at https://bugs.debian.org/832460:
> redis-cli stores its history in ~/.rediscli_history, this file is
> created with permissions 0644. Home folders are world readable as well
> in debian, so any user can access other users redis history, including
> AUTH commands, which include credentials.
>
> I've contacted upstream on 2016-05-30 without any reaction at all and
> discovered this bug was first reported 3 years ago, still unfixed.
> @RedisLabs keeps referring to their paid support on twitter.
>
> Demo: `cat /home/*/.rediscli_history`

Upstream report: https://github.com/antirez/redis/issues/3284

Could you please assign a CVE for this issue in redis?

Regards,
Salvatore