Your message dated Fri, 08 May 2026 08:15:55 +0000
with message-id <[email protected]>
and subject line Bug#1132206: fixed in redict 7.3.6+ds-2
has caused the Debian Bug report #1132206,
regarding redict: CVE-2025-67733 CVE-2026-21863
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132206
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: redis
Version: 5:8.0.5-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:redict 7.3.6+ds-1
Control: retitle -2 redict: CVE-2025-67733 CVE-2026-21863
Hi,
The following vulnerabilities were published for redis and redict,
equivalent to the valkey issues.
CVE-2025-67733[0]:
| Valkey is a distributed key-value database. Prior to versions 9.0.2,
| 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting
| commands to inject arbitrary information into the response stream
| for the given client, potentially corrupting or returning tampered
| data to other users on the same connection. The error handling code
| for lua scripts does not properly handle null characters. Versions
| 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
CVE-2026-21863[1]:
| Valkey is a distributed key-value database. Prior to versions 9.0.2,
| 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the
| Valkey clusterbus port can send an invalid packet that may cause an
| out bound read, which might result in the system crashing. The
| Valkey clusterbus packet processing code does not validate that a
| clusterbus ping extension packet is located within buffer of the
| clusterbus packet before attempting to read it. Versions 9.0.2,
| 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation,
| don't expose the cluster bus connection directly to end users, and
| protect the connection with its own network ACLs.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-67733
https://www.cve.org/CVERecord?id=CVE-2025-67733
[1] https://security-tracker.debian.org/tracker/CVE-2026-21863
https://www.cve.org/CVERecord?id=CVE-2026-21863
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: redict
Source-Version: 7.3.6+ds-2
Done: Maytham Alsudany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
redict, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Maytham Alsudany <[email protected]> (supplier of updated redict package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 May 2026 19:10:15 +0800
Source: redict
Architecture: source
Version: 7.3.6+ds-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Redict Maintainers <[email protected]>
Changed-By: Maytham Alsudany <[email protected]>
Closes: 1132206
Changes:
redict (7.3.6+ds-2) unstable; urgency=medium
.
* Add patches to fix CVE-2025-67733 and CVE-2026-21863 (Closes: #1132206)
Checksums-Sha1:
a26513fa4b6ce2de9d7fe9352589247a276f4fa0 2383 redict_7.3.6+ds-2.dsc
d660c6c822e7416b266614205a71b60ae81e8439 1744428 redict_7.3.6+ds.orig.tar.xz
690ade5d976772a6dec7bab270b5f10b2b9d1cc9 17236 redict_7.3.6+ds-2.debian.tar.xz
Checksums-Sha256:
5c0ccc58d2afe912bc66b8c1c06e0ee6fda373732b5e02a98ddb422b152686a7 2383
redict_7.3.6+ds-2.dsc
208f38596d7fade0c00702172653a2016f1d38e0d6e5abd162e98acae045db65 1744428
redict_7.3.6+ds.orig.tar.xz
863fbda822c8b0feb424ae9765125dfa1937abbc1d5c07f614a3ff3785a2e317 17236
redict_7.3.6+ds-2.debian.tar.xz
Files:
7f6df98f3db5fda003acdb1af0a9453e 2383 database optional redict_7.3.6+ds-2.dsc
986417b3c1e48138f83bf33df7221623 1744428 database optional
redict_7.3.6+ds.orig.tar.xz
782b1598ce428bfa424abd38e695a762 17236 database optional
redict_7.3.6+ds-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEESl/RzRFQh8wD3DXB1ZeJcgbF8H8FAmn9k2EACgkQ1ZeJcgbF
8H/pUg//WqrLIGkWW9tBljZbyCat4oWTxg3E/LZJFFthl4G9NhM6JEssUPWQrrux
io5LZZfWGRzFR9tRZqMTbCOAmKcDk7ApPGlno5O4fncghJd3zf9cAI/5/sC/x945
e/8o6N0zdinyDQgz5Hm/lmL2makRBAcqi8VifhYvhu/7Crp859kowm085q0oifmb
S2V1SnGMcI+opZER4BiHQjyhTdEuv0gOMMNo2SOsmoILVArkHykuhCwmFm/jLx8p
5gtlQRcB2o3/q9T/N1K2a0/v8BTlhNf/EhvOXulAQ+DyxuYA6tGCNqctYHIic37e
UFHO1WrKcBozRsUzB2yke7Gc4TM38cOmEM7NZ1Q3kpFiNCbhyUBP6W6/iUAk9vzh
9N2ltl5NaekIXC8oH/Dlvps5uKPMJvsS8svk/izlmBXZStIaxxT//EXmHjl+LVIt
/OpYLiS1p+mRWlA4ORdYDl7ZtzxRiggQRQ7hCQYvaE96iPKYHYdaaG/LimN227qs
Q2D41Wad/6lm3pqSq8w31vYvduzQB5eUAmmCzRYHxBZ7Ufc57SK8J138YQBjjP8D
irB434NjK9UIeiKNwOzIbrwtsuLFf83mQ3K9pMZHSEagdVDVclrQFyEEmkW8TQz4
MY3xn2YL6/4KWZhGidyMsAt5d8g/DIDZmb9oYz9NOq8LbKtnkt4=
=yBYh
-----END PGP SIGNATURE-----
pgpC3MftKlmLx.pgp
Description: PGP signature
--- End Message ---
