Bug 1064980 - (CVE-2016-10517) VUL-0: CVE-2016-10517: redis: POST and Host: strings lack a check that allows "Cross Protocol Scripting"
(CVE-2016-10517)
VUL-0: CVE-2016-10517: redis: POST and Host: strings lack a check that allows...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Martin Pluskal
E-mail List
CVSSv3:RedHat:CVE-2016-10517:6.1:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-25 06:48 UTC by Alexander Bergmann
Modified: 2020-11-11 14:35 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-10-25 06:48:33 UTC
CVE-2016-10517

networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it
lacks a check for POST and Host: strings, which are not valid in the Redis
protocol (but commonly occur when an attack triggers an HTTP request to the
Redis TCP port).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10517
https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/
https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES
https://github.com/antirez/redis/commit/874804da0c014a7d704b3d285aa500098a931f50
Comment 1 Andreas Stieger 2017-10-27 15:37:57 UTC
Martin did the 3.2.7 bump. Could you add the CVE to the changelog and trigger the updates?
Comment 2 Martin Pluskal 2017-11-01 09:07:28 UTC
(In reply to Andreas Stieger from comment #1)
> Martin did the 3.2.7 bump. Could you add the CVE to the changelog and
> trigger the updates?

Submitted for Factory, for Leap and Backports each has different version, but upon reviewing changes I would probably go for version bump to Factory version for Leap and Backports - most of changes are bugfixes anyways.
Comment 3 Bernhard Wiedemann 2017-11-01 11:01:00 UTC
This is an autogenerated message for OBS integration:
This bug (1064980) was mentioned in
https://build.opensuse.org/request/show/538024 Factory / redis
https://build.opensuse.org/request/show/538025 42.2+42.3+Backports:SLE-12 / redis
Comment 4 Andreas Stieger 2017-11-10 13:02:23 UTC
done
Comment 5 Swamp Workflow Management 2017-11-10 17:16:11 UTC
openSUSE-SU-2017:2984-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1064980
CVE References: CVE-2016-10517
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    redis-4.0.2-9.1
Comment 6 Swamp Workflow Management 2017-11-10 17:24:20 UTC
openSUSE-SU-2017:2994-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1064980
CVE References: CVE-2016-10517
Sources used:
openSUSE Leap 42.3 (src):    redis-4.0.2-11.1
openSUSE Leap 42.2 (src):    redis-4.0.2-8.3.1
Comment 9 Swamp Workflow Management 2020-11-11 14:35:39 UTC
SUSE-OU-2020:3291-1: An update that solves 7 vulnerabilities, contains four features and has two fixes is now available.

Category: optional (moderate)
Bug References: 1002351,1047218,1061967,1064980,1097430,1131555,798455,835815,991250
CVE References: CVE-2013-7458,CVE-2015-8080,CVE-2016-10517,CVE-2016-8339,CVE-2017-15047,CVE-2018-11218,CVE-2018-11219
JIRA References: ECO-2417,ECO-2867,SLE-11578,SLE-12821
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    redis-6.0.8-1.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.