Source: redict
Version: 7.3.2+ds-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc:
carnil@debian.org, Debian Security Team <
team@security.debian.org>
Hi,
The following vulnerability was published for redict.
CVE-2025-21605[0]:
| Redis is an open source, in-memory database that persists on disk.
| In versions starting at 2.6 and prior to 7.4.3, An unauthenticated
| client can cause unlimited growth of output buffers, until the
| server runs out of memory or is killed. By default, the Redis
| configuration does not limit the output buffer of normal clients
| (see client-output-buffer-limit). Therefore, the output buffer can
| grow unlimitedly over time. As a result, the service is exhausted
| and the memory is unavailable. When password authentication is
| enabled on the Redis server, but no password is provided, the client
| can still cause the output buffer to grow from "NOAUTH" responses
| until the system will run out of memory. This issue has been patched
| in version 7.4.3. An additional workaround to mitigate this problem
| without patching the redis-server executable is to block access to
| prevent unauthenticated users from connecting to Redis. This can be
| done in different ways. Either using network access control tools
| like firewalls, iptables, security groups, etc, or enabling TLS and
| requiring users to authenticate using client side certificates.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0]
https://security-tracker.debian.org/tracker/CVE-2025-21605
https://www.cve.org/CVERecord?id=CVE-2025-21605
[1]
https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)