Source: redict Version: 7.3.2+ds-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for redict. CVE-2025-21605[0]: | Redis is an open source, in-memory database that persists on disk. | In versions starting at 2.6 and prior to 7.4.3, An unauthenticated | client can cause unlimited growth of output buffers, until the | server runs out of memory or is killed. By default, the Redis | configuration does not limit the output buffer of normal clients | (see client-output-buffer-limit). Therefore, the output buffer can | grow unlimitedly over time. As a result, the service is exhausted | and the memory is unavailable. When password authentication is | enabled on the Redis server, but no password is provided, the client | can still cause the output buffer to grow from "NOAUTH" responses | until the system will run out of memory. This issue has been patched | in version 7.4.3. An additional workaround to mitigate this problem | without patching the redis-server executable is to block access to | prevent unauthenticated users from connecting to Redis. This can be | done in different ways. Either using network access control tools | like firewalls, iptables, security groups, etc, or enabling TLS and | requiring users to authenticate using client side certificates. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-21605 https://www.cve.org/CVERecord?id=CVE-2025-21605 [1] https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff Regards, Salvatore
