Debian DSA-3279-1 : redis - security update

critical Nessus Plugin ID 84024

Synopsis

The remote Debian host is missing a security-related update.

Description

It was discovered that redis, a persistent key-value database, could execute insecure Lua bytecode by way of the EVAL command. This could allow remote attackers to break out of the Lua sandbox and execute arbitrary code.

Solution

Upgrade the redis packages.

For the stable distribution (jessie), this problem has been fixed in version 2:2.8.17-1+deb8u1.

See Also

https://packages.debian.org/source/jessie/redis

https://www.debian.org/security/2015/dsa-3279

Plugin Details

Severity: Critical

ID: 84024

File Name: debian_DSA-3279.nasl

Version: 2.5

Type: local

Agent: unix

Published: 6/9/2015

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:redis, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 6/6/2015

Reference Information

CVE: CVE-2015-4335

BID: 75034

DSA: 3279