Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-1161-1 redis

Debian Security Advisory

DLA-1161-1 redis -- LTS security update

Date Reported:

05 Nov 2017

Affected Packages:

redis

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-1051.

More information:

It was discovered that there was a Cross Protocol Scripting attack in the Redis key-value database.

"POST" and "Host:" command strings (which are not valid in the Redis protocol) were not immediately rejected when an attacker makes HTTP request to the Redis TCP port.

For Debian 7 Wheezy, this issue has been fixed in redis version 2:2.4.14-1+deb7u2.

We recommend that you upgrade your redis packages.