Hi Lucas, hi Salvatore, On 2026-03-15 21:01:46, Salvatore Bonaccorso wrote:
The following vulnerabilities were published for valkey.CVE-2025-67733[0]: | Valkey is a distributed key-value database. Prior to versions 9.0.2, | 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting | commands to inject arbitrary information into the response stream | for the given client, potentially corrupting or returning tampered | data to other users on the same connection. The error handling code | for lua scripts does not properly handle null characters. Versions | 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. CVE-2026-21863[1]: | Valkey is a distributed key-value database. Prior to versions 9.0.2, | 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the | Valkey clusterbus port can send an invalid packet that may cause an | out bound read, which might result in the system crashing. The | Valkey clusterbus packet processing code does not validate that a | clusterbus ping extension packet is located within buffer of the | clusterbus packet before attempting to read it. Versions 9.0.2, | 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, | don't expose the cluster bus connection directly to end users, and | protect the connection with its own network ACLs.
what are your plans concerning the above vulnerabilities? If you need a helping hand, I can prepare a debdiff for trixie. Best regards Peter
OpenPGP_0x5D5F6C020398A60A.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
