Your message dated Fri, 24 Oct 2025 01:20:54 +0000
with message-id <[email protected]>
and subject line Bug#1117687: fixed in valkey 8.1.4+dfsg1-1
has caused the Debian Bug report #1117687,
regarding valkey: CVE-2025-46817 CVE-2025-46818 CVE-2025-46819 CVE-2025-49844
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117687: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117687
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: valkey
Version: 8.1.1+dfsg1-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: fixed -1 8.1.1+dfsg1-3+deb13u1
Hi,
The following vulnerabilities were published for valkey.
Note the issues are already fixed in the DSA released by Moritz,
versioned 8.1.1+dfsg1-3+deb13u1.
CVE-2025-46817[0]:
| Redis is an open source, in-memory database that persists on disk.
| Versions 8.2.1 and below allow an authenticated user to use a
| specially crafted Lua script to cause an integer overflow and
| potentially lead to remote code execution The problem exists in all
| versions of Redis with Lua scripting. This issue is fixed in version
| 8.2.2.
CVE-2025-46818[1]:
| Redis is an open source, in-memory database that persists on disk.
| Versions 8.2.1 and below allow an authenticated user to use a
| specially crafted Lua script to manipulate different LUA objects and
| potentially run their own code in the context of another user. The
| problem exists in all versions of Redis with LUA scripting. This
| issue is fixed in version 8.2.2. A workaround to mitigate the
| problem without patching the redis-server executable is to prevent
| users from executing LUA scripts. This can be done using ACL to
| block a script by restricting both the EVAL and FUNCTION command
| families.
CVE-2025-46819[2]:
| Redis is an open source, in-memory database that persists on disk.
| Versions 8.2.1 and below allow an authenticated user to use a
| specially crafted LUA script to read out-of-bound data or crash the
| server and subsequent denial of service. The problem exists in all
| versions of Redis with Lua scripting. This issue is fixed in version
| 8.2.2. To workaround this issue without patching the redis-server
| executable is to prevent users from executing Lua scripts. This can
| be done using ACL to block a script by restricting both the EVAL and
| FUNCTION command families.
CVE-2025-49844[3]:
| Redis is an open source, in-memory database that persists on disk.
| Versions 8.2.1 and below allow an authenticated user to use a
| specially crafted Lua script to manipulate the garbage collector,
| trigger a use-after-free and potentially lead to remote code
| execution. The problem exists in all versions of Redis with Lua
| scripting. This issue is fixed in version 8.2.2. To workaround this
| issue without patching the redis-server executable is to prevent
| users from executing Lua scripts. This can be done using ACL to
| restrict EVAL and EVALSHA commands.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-46817
https://www.cve.org/CVERecord?id=CVE-2025-46817
[1] https://security-tracker.debian.org/tracker/CVE-2025-46818
https://www.cve.org/CVERecord?id=CVE-2025-46818
[2] https://security-tracker.debian.org/tracker/CVE-2025-46819
https://www.cve.org/CVERecord?id=CVE-2025-46819
[3] https://security-tracker.debian.org/tracker/CVE-2025-49844
https://www.cve.org/CVERecord?id=CVE-2025-49844
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: valkey
Source-Version: 8.1.4+dfsg1-1
Done: Lucas Kanashiro <[email protected]>
We believe that the bug you reported is fixed in the latest version of
valkey, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lucas Kanashiro <[email protected]> (supplier of updated valkey package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Oct 2025 21:30:33 -0300
Source: valkey
Architecture: source
Version: 8.1.4+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Lucas Kanashiro <[email protected]>
Changed-By: Lucas Kanashiro <[email protected]>
Closes: 1117687
Changes:
valkey (8.1.4+dfsg1-1) unstable; urgency=medium
.
* New upstream release.
- Fixes CVE-2025-49844, CVE-2025-46817, CVE-2025-46818 and CVE-2025-46819
(Closes: #1117687)
* Update patches.
Remove d/p/CVE-2025-*.patch already applied by upstream
Checksums-Sha1:
615507d105c638abfe2fdfc50ab00fa22e25c88b 2243 valkey_8.1.4+dfsg1-1.dsc
140b9e971885fbd6334a6e7272b8d29491a398ff 2732800 valkey_8.1.4+dfsg1.orig.tar.xz
9563e96bb93c47db4b70e10481f209b63a551e96 17080
valkey_8.1.4+dfsg1-1.debian.tar.xz
Checksums-Sha256:
988dce3d92cd922369d8d933e86a82c602f1d21111b7a48e888d7b56411e8c9d 2243
valkey_8.1.4+dfsg1-1.dsc
736862093c5f21a1f75c22565ebe4fa8aeb1cc162221af5e2fe24b41409c3dec 2732800
valkey_8.1.4+dfsg1.orig.tar.xz
b5bc809ea442dd969940119e740f62cb4670de371f759614220ab5c23a6ffa0c 17080
valkey_8.1.4+dfsg1-1.debian.tar.xz
Files:
1d821e734803a702d9667b548eaf3205 2243 database optional
valkey_8.1.4+dfsg1-1.dsc
92063b48c4c079e01137024de6cdb700 2732800 database optional
valkey_8.1.4+dfsg1.orig.tar.xz
0bac948db90f418d77f9abac314d2313 17080 database optional
valkey_8.1.4+dfsg1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmj6z9MVHGthbmFzaGly
b0BkZWJpYW4ub3JnAAoJEPgjonKYg8l8cT4P/1e9NfwOHlffSLdqnyc0HLFJH594
pxBOrKfSD0MseEdY627ukGHyTugHOpC5kLWCiqvKaVu+cs0Fop+crMIhIZSKoNrm
9bIDCs+kiXY84BWOORXtwJhfbYJQtJqwly83X+jYciAYejosteN4WBXMEiiLynF/
YfmEJ/lRwXm70L3bH7ZXUVVhF4JvSJzq/VpqUDzB9c0wdBtSTBKQADPLXJ4aeRr0
NIUW5U+DUgVYp+ShP2pOgKFuJghhuwbfzjCQorV8vYQugqi8uvf8g9PATU9xlGPY
XifLJmiCq4BWoMsDDrqHUMCxkJIN6KlyJvnTrAlUNehyWdrpiX2KE0dDhbdQ49PU
54RhiDyIuO9XWoESSic93A587s01qKri09C4LAFOd/rgq4C9ZuR26WEkb0laKzkZ
UOTE/6cYGBq4+NYo88XHwjvgcKN78Q/KWYLwKpSD760xzMd+t7neyDoWxbl2Vrmw
l61BTnnO4bkx018t4xLtQ7qK1LsNvC7soIu6sT00MCv4kVCKmtiY6yMFujoq/i3M
2uMCmJ7muGl3UVXY3CIxXgI1aDZ11TZ5WsnWyRLJ1jCwEAGlO+kCA/lna7zx4JT+
hj8fB5oBkKrZz9OC7g21kgyrOTJsZJ4+uAjbQgBkpm5UyDhnPsb5ap+uTHuHQAFD
uztt+XKFMp6RCmPv
=DRv4
-----END PGP SIGNATURE-----
pgpR7TjIkhEV8.pgp
Description: PGP signature
--- End Message ---
