[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1161-1] redis security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : redis
Version        : 2:2.4.14-1+deb7u2
CVE ID         : CVE-2016-1051

It was discovered that there was a "Cross Protocol Scripting" attack in
the Redis key-value database.

"POST" and "Host:" command strings (which are not valid in the Redis
protocol) were not immediately rejected when an attacker makes HTTP
request to the Redis TCP port.

For Debian 7 "Wheezy", this issue has been fixed in redis version
2:2.4.14-1+deb7u2.

We recommend that you upgrade your redis packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAln/OqEACgkQHpU+J9Qx
Hlir3A/7Bl3qthLmd/DSpLY1Xfm6C646oDlXeDwdyrFnpc79W3J8n2oCZ0REpKLe
tztDLWXBefEHsO3ETMZsZM5q/9zexMT5GFkw06txYWqbApfDMTAwQQ43n9FWGZyD
pyS3VlKGh9RmDM7aaD/EVGjlZQWCrxX1nO56o9hGWvEzCRO2sRCRfc8hKRhgdLBt
xgNqWMK0aSWVzRmyt64NZ5CEG79/Az6MUqXVeHHkS2aJFKsIWuncsnuuz1V57omm
Z5I293uuoJquHy+Clzgfyz0QGixBCeQ2Xo4nTuRuifbTthSctocJSoZu4PGpVlpr
xK7peIMa6fqaf5efxu/auP+Tb2aDB97vjqUSaUIJC4ecj2XRjvHE8iW3/q++2b4s
PCChyGfLIQPbJAn/ykbrpJ8jQnpGcxLBHIDuykT33ttbV0mt/cCB2I4W/Au919cN
YmHUZDElzQbT4qqIzkQKPLhykFgfUUtuznGoUg5PTePG5d/efWo3cjJhQY85Bgb/
xEKip9GjAk5uH0CNW8n7SwdBhfXVkJB0Oq79TdlcF39lWyWMn6zF8IOxGlR9A0Ut
pVl4B9wXmosWKCRKrCRDM+UYW32FD5DpFayC1bscqbR8Po4Vlkrrj5T3vvquZLX5
jJ0/wgu1tDq9V24nIHFTfhHZ6+Lwa1vkSW9ozDUXYmY7qsOov+8=
=4T+c
-----END PGP SIGNATURE-----


Reply to: