Source: valkey Version: 8.1.4+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for valkey. CVE-2025-67733[0]: | Valkey is a distributed key-value database. Prior to versions 9.0.2, | 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting | commands to inject arbitrary information into the response stream | for the given client, potentially corrupting or returning tampered | data to other users on the same connection. The error handling code | for lua scripts does not properly handle null characters. Versions | 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. CVE-2026-21863[1]: | Valkey is a distributed key-value database. Prior to versions 9.0.2, | 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the | Valkey clusterbus port can send an invalid packet that may cause an | out bound read, which might result in the system crashing. The | Valkey clusterbus packet processing code does not validate that a | clusterbus ping extension packet is located within buffer of the | clusterbus packet before attempting to read it. Versions 9.0.2, | 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, | don't expose the cluster bus connection directly to end users, and | protect the connection with its own network ACLs. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-67733 https://www.cve.org/CVERecord?id=CVE-2025-67733 [1] https://security-tracker.debian.org/tracker/CVE-2026-21863 https://www.cve.org/CVERecord?id=CVE-2026-21863 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
