diff -Nru redis-3.0.6/debian/changelog redis-3.0.6/debian/changelog
--- redis-3.0.6/debian/changelog	2018-06-27 16:53:05.000000000 +0000
+++ redis-3.0.6/debian/changelog	2018-12-07 17:12:18.000000000 +0000
@@ -1,3 +1,13 @@
+redis (2:3.0.6-1ubuntu0.3) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Tighten Permissions
+    - Ensure /var/lib/redis and /var/log/redis are not world readable
+    - Set UMask=007 in redis-server.service, redis-sentinel.server
+    - Changes taken from Debian version 3:3.2.5-2
+    - CVE-2016-2121
+
+ -- Mike Salvatore <mike.salvatore@canonical.com>  Fri, 07 Dec 2018 11:02:30 -0500
+
 redis (2:3.0.6-1ubuntu0.2) xenial-security; urgency=medium
 
   * SECURITY UPDATE: Permissions issue
diff -Nru redis-3.0.6/debian/redis-sentinel.service redis-3.0.6/debian/redis-sentinel.service
--- redis-3.0.6/debian/redis-sentinel.service	2015-12-19 11:27:43.000000000 +0000
+++ redis-3.0.6/debian/redis-sentinel.service	2018-12-07 15:41:47.000000000 +0000
@@ -18,6 +18,7 @@
 ExecStop=/bin/kill -s TERM $MAINPID
 ExecStopPost=-/bin/run-parts --verbose /etc/redis/redis-sentinel.post-down.d
 
+UMask=007
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectHome=yes
diff -Nru redis-3.0.6/debian/redis-server.postinst redis-3.0.6/debian/redis-server.postinst
--- redis-3.0.6/debian/redis-server.postinst	2015-12-19 11:27:43.000000000 +0000
+++ redis-3.0.6/debian/redis-server.postinst	2018-12-07 15:43:04.000000000 +0000
@@ -18,7 +18,11 @@
 		for DIR in /var/lib/redis /var/log/redis
 		do
 			mkdir -p ${DIR}
-			chown -R ${USER}:${GROUP} ${DIR}
+			if ! dpkg-statoverride --list ${DIR} >/dev/null 2>&1
+			then
+				chown -R ${USER}:${GROUP} ${DIR}
+				chmod 750 ${DIR}
+			fi
 		done
 
 		if ! dpkg-statoverride --list ${CONFFILE} >/dev/null 2>&1
diff -Nru redis-3.0.6/debian/redis-server.service redis-3.0.6/debian/redis-server.service
--- redis-3.0.6/debian/redis-server.service	2015-12-19 11:27:43.000000000 +0000
+++ redis-3.0.6/debian/redis-server.service	2018-12-07 15:42:05.000000000 +0000
@@ -18,6 +18,7 @@
 ExecStop=/bin/kill -s TERM $MAINPID
 ExecStopPost=-/bin/run-parts --verbose /etc/redis/redis-server.post-down.d
 
+UMask=007
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectHome=yes