Your message dated Wed, 09 Jul 2025 10:19:46 +0000
with message-id <[email protected]>
and subject line Bug#1108978: fixed in valkey 8.1.1+dfsg1-3
has caused the Debian Bug report #1108978,
regarding valkey: CVE-2025-32023
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108978
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: valkey
Version: 8.1.1+dfsg1-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/valkey-io/valkey/pull/2314
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for valkey.
CVE-2025-32023[0]:
| Redis is an open source, in-memory database that persists on disk.
| From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an
| authenticated user may use a specially crafted string to trigger a
| stack/heap out of bounds write on hyperloglog operations,
| potentially leading to remote code execution. The bug likely affects
| all Redis versions with hyperloglog operations implemented. This
| vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An
| additional workaround to mitigate the problem without patching the
| redis-server executable is to prevent users from executing
| hyperloglog operations. This can be done using ACL to restrict HLL
| commands.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-32023
https://www.cve.org/CVERecord?id=CVE-2025-32023
[1] https://github.com/valkey-io/valkey/pull/2314
[2] https://github.com/redis/redis/security/advisories/GHSA-rp2m-q4j6-gr43
[3]
https://github.com/valkey-io/valkey/commit/20f5199d96baf0c64bd4e7d042b6274c4e773bcb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: valkey
Source-Version: 8.1.1+dfsg1-3
Done: Lucas Kanashiro <[email protected]>
We believe that the bug you reported is fixed in the latest version of
valkey, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lucas Kanashiro <[email protected]> (supplier of updated valkey package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 09 Jul 2025 05:53:22 -0300
Source: valkey
Architecture: source
Version: 8.1.1+dfsg1-3
Distribution: unstable
Urgency: medium
Maintainer: Lucas Kanashiro <[email protected]>
Changed-By: Lucas Kanashiro <[email protected]>
Closes: 1108978 1108982
Changes:
valkey (8.1.1+dfsg1-3) unstable; urgency=medium
.
* Fix CVE-2025-32023 (Closes: #1108978)
An authenticated user may use a specially crafted string to trigger a
stack/heap out of bounds write on hyperloglog operations, potentially
leading to remote code execution. The bug likely affects all Valkey
versions with hyperloglog operations implemented.
An additional workaround to mitigate the problem without patching the
valkey-server executable is to prevent users from executing hyperloglog
operations. This can be done using ACL to restrict HLL commands.
- d/p/CVE-2025-32023.patch
* Fix CVE-2025-48367 (Closes: #1108982)
An unauthenticated connection can cause repeated IP protocol errors,
leading to client starvation and, ultimately, a denial of service.
- d/p/CVE-2025-48367.patch
* d/copyright: fix path of the lua files, thanks to lintian!
Checksums-Sha1:
b9671fb71fe203dbc1d4fed2f703c2bfc9664bec 2243 valkey_8.1.1+dfsg1-3.dsc
c8327709a77cba3c0f32deaa152dbe6e5c5e46f3 21208
valkey_8.1.1+dfsg1-3.debian.tar.xz
Checksums-Sha256:
9bbe983fc0fd6738a23a33c548bba4a93ce388d0582f83c96415d2d2535be482 2243
valkey_8.1.1+dfsg1-3.dsc
b1f657404480b4e8a435430cbb5a6edc8507aae4276666ad43ad4629d93bf25d 21208
valkey_8.1.1+dfsg1-3.debian.tar.xz
Files:
1ba31e09a524fbce3ed7a0eddf1d2ba1 2243 database optional
valkey_8.1.1+dfsg1-3.dsc
78d1366c185a56f042dc41bc17480548 21208 database optional
valkey_8.1.1+dfsg1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmhuO3EVHGthbmFzaGly
b0BkZWJpYW4ub3JnAAoJEPgjonKYg8l82MQQAKK/P4bcw2JxTlRmyGEqxR++Veb+
CBHVt1/WRy6dCyXjTs96sT9/tv5gnUoKuZX5XjYkp8eNbclA01P8jWkmGH1ka4k9
1X0Ess3FFf52IZUeKCS5N90orp1WrrDmktvvrDueRBw+oTQ4lMwzEZIJzt+RGcqO
2FdCW3sy4xLIOXZrwfXwPhJ/EPGhcb5vN42AQ8oHqzU9SoCOpN2vG2GhHyGZjM0O
2AdeRLn81t20QpFGv9JLMY0ZOlJgjTEQf1s30WKC8EXj39naz4H6Xdu93ZQT4aiM
c8D0qtxuCeGVhp5Sp2LkQL+6H22NX6A9+cgerIJR1uT2HjpLpXaA8nQlo1+r/Syl
6bFwBrHL86jAfhf6jVZSmowp2C+ExC9C3McdMrHHWjCrf2xOFLJALyTLZlkHkNxB
z2sNEtr8g1RyETWxqZ5mACJDbdmqhG9XlZU1C3wrYfOZYKAn0wyk0dVBdglBnNks
9cKILGmSnJOdOtuGSdLTaLJXNlLrKr0ElBXxHcF7z8tznNr60kKBAsdLdGDhZKZ7
my3gM91EB3jvRleR212g1SQGi/zI6gklmfavaW4oDjtKlrvti5qG5pbM+NJdzLBJ
sgE31lJnQIhTA9tYoTuapgFil8VpewyWnzfGu4tcJyYCta+GULSO8+zQf2Zcf5vA
bCxFB2wpe0i/7Fxb
=RWeA
-----END PGP SIGNATURE-----
pgpodqGdzrH_z.pgp
Description: PGP signature
--- End Message ---
