Package: redis Version: 5:6.0.16-1+deb11u7 X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for redis. CVE-2025-49844[0]: | Redis is an open source, in-memory database that persists on disk. | Versions 8.2.1 and below allow an authenticated user to use a | specially crafted Lua script to manipulate the garbage collector, | trigger a use-after-free and potentially lead to remote code | execution. The problem exists in all versions of Redis with Lua | scripting. This issue is fixed in version 8.2.2. To workaround this | issue without patching the redis-server executable is to prevent | users from executing Lua scripts. This can be done using ACL to | restrict EVAL and EVALSHA commands. CVE-2025-46817[1]: | Redis is an open source, in-memory database that persists on disk. | Versions 8.2.1 and below allow an authenticated user to use a | specially crafted Lua script to cause an integer overflow and | potentially lead to remote code execution The problem exists in all | versions of Redis with Lua scripting. This issue is fixed in version | 8.2.2. CVE-2025-46818[2]: | Redis is an open source, in-memory database that persists on disk. | Versions 8.2.1 and below allow an authenticated user to use a | specially crafted Lua script to manipulate different LUA objects and | potentially run their own code in the context of another user. The | problem exists in all versions of Redis with LUA scripting. This | issue is fixed in version 8.2.2. A workaround to mitigate the | problem without patching the redis-server executable is to prevent | users from executing LUA scripts. This can be done using ACL to | block a script by restricting both the EVAL and FUNCTION command | families. CVE-2025-46819[3]: | Redis is an open source, in-memory database that persists on disk. | Versions 8.2.1 and below allow an authenticated user to use a | specially crafted LUA script to read out-of-bound data or crash the | server and subsequent denial of service. The problem exists in all | versions of Redis with Lua scripting. This issue is fixed in version | 8.2.2. To workaround this issue without patching the redis-server | executable is to prevent users from executing Lua scripts. This can | be done using ACL to block a script by restricting both the EVAL and | FUNCTION command families. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-49844 https://www.cve.org/CVERecord?id=CVE-2025-49844 [1] https://security-tracker.debian.org/tracker/CVE-2025-46817 https://www.cve.org/CVERecord?id=CVE-2025-46817 [2] https://security-tracker.debian.org/tracker/CVE-2025-46818 https://www.cve.org/CVERecord?id=CVE-2025-46818 [3] https://security-tracker.debian.org/tracker/CVE-2025-46819 https://www.cve.org/CVERecord?id=CVE-2025-46819 Regards, -- ,''`. : :' : Chris Lamb `. `'` [email protected] / chris-lamb.co.uk `-
