Public bug reported: [Impact]
Various bugs exist in the current Ubuntu version of Valkey in Noble and Oracular, including 2 CVEs. They are (CVE-2024-46981) Lua script commands may lead to remote code execution. (CVE-2024-51741) Denial-of-service due to malformed ACL selectors. The other bugs listed upstream are: https://github.com/valkey-io/valkey/pull/1213 https://github.com/valkey-io/valkey/pull/1171 https://github.com/valkey-io/valkey/pull/1499 These fixes should be added to the stable release to avoid known security vulnerabilities. Ideally, these fixes should be added by updating to 7.2.8, the latest stable release of 7.x. Upstream takes care to avoid backwards incompatible changes in this stable release set and matching their version would best match user expectations. [Test Plan] Initial testing should include making sure dep-8 tests all pass. This package includes a large suite of tests that check various runtime configurations and redis compatibility. [Where problems could occur] As this is a full version backport, backwards-incompatible changes may arise from the various changes included. I have mitigated this by checking each individual commit and have noted any minor updates in the changelog entry. [Other Info] Oracular and Noble will differ from Plucky as they will remain on the 7.2.x version track while plucky is on 8.x. ** Affects: valkey (Ubuntu) Importance: Undecided Assignee: Lena Voytek (lvoytek) Status: In Progress ** Changed in: valkey (Ubuntu) Status: New => In Progress ** Changed in: valkey (Ubuntu) Assignee: (unassigned) => Lena Voytek (lvoytek) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2097546 Title: Update Valkey to 7.2.8 in noble and oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/valkey/+bug/2097546/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
