Debian Security Advisory

DLA-1161-1 redis -- LTS security update

Date Reported:
05 Nov 2017
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2016-1051.
More information:

It was discovered that there was a Cross Protocol Scripting attack in the Redis key-value database.

"POST" and "Host:" command strings (which are not valid in the Redis protocol) were not immediately rejected when an attacker makes HTTP request to the Redis TCP port.

For Debian 7 Wheezy, this issue has been fixed in redis version 2:2.4.14-1+deb7u2.

We recommend that you upgrade your redis packages.