[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index] [SECURITY] [DSA 6279-1] redis security update To: debian-security-announce@lists.debian.org Subject: [SECURITY] [DSA 6279-1] redis security update From: Aron Xu <aron@debian.org> Date: Sun, 17 May 2026 09:36:20 +0000 Message-id: <[🔎] E1wOXv2-00000002zgs-43Ka@seger.debian.org> Reply-to: debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6279-1 security@debian.org https://www.debian.org/security/ Aron Xu May 17, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : redis CVE ID : CVE-2025-67733 CVE-2026-21863 Debian Bug : Brief introduction CVE-2025-67733 A flaw in the Lua scripting error path allowed an authenticated user to embed CR/LF byte sequences in an error reply produced via redis.error_reply() or the Lua error() function. Because RESP uses CRLF as a frame delimiter, an injected sequence could be interpreted by the client as the start of an unrelated reply, allowing an attacker to inject arbitrary content into the response stream and tamper with data read by other commands on the same connection. CVE-2026-21863 The cluster bus packet validation in clusterProcessPacket() did not verify that the gossip-section count and per-extension header declared by an incoming PING, PONG or MEET message actually fit within the received packet. A peer with access to the cluster bus port could send a specially crafted message whose declared lengths exceed the packet size, causing the server to read out of bounds and potentially crash, resulting in a denial of service. For the oldstable distribution (bookworm), these problems have been fixed in version 5:7.0.15-1~deb12u7. For the stable distribution (trixie), these problems have been fixed in version 8.0.2-3+deb13u2. We recommend that you upgrade your redis packages. For the detailed security status of redis please refer to its security tracker page at: https://security-tracker.debian.org/tracker/redis Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEExq6D0hxncEPaPayX+GQ1dHE8m64FAmoJitkACgkQ+GQ1dHE8 m67IVQf+NSQGJC3uVfMscqsaU8VglaUVUxrvFLxUQzKJqZ2MoLXGayeB8L8DPSNH MHim/xPC2B8113ovImO6NPkiLE1k7NOUu1M6ieDoKK5wvZwA57j4QOo49I74kEhA JcWN6+Ri0cn9rdfMWN5sMMByqS1c4+i6rf/9Iibc1YRpgXg17Gc1ge2fDjxjtF+3 kyWLn9pxobNyrx1XB8l7yZpzfbM42uBUARDyD7rPZ/zfEJaAlauAFgdgr9W1lMUW R7UZsBV4EFs27+ZJFzjwPNDvMMduiT2EsIt+nmKo7Uuot1rXf9hOY2O8KqZmFY8U ZKl92oZE20MsKODbMp5+MYiuTGNljw== =spQm -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Aron Xu (on-list) Aron Xu (off-list) Prev by Date: [SECURITY] [DSA 6278-1] nginx security update Next by Date: [SECURITY] [DSA 62801] netatalk security update Previous by thread: [SECURITY] [DSA 6278-1] nginx security update Next by thread: [SECURITY] [DSA 62801] netatalk security update Index(es): Date Thread