[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 4240-1] redis security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4240-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
July 12, 2025                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : redis
Version        : 5:6.0.16-1+deb11u7
CVE IDs        : CVE-2025-32023 CVE-2025-48367
Debian Bugs    : 1108975 1108981

Two issues were discovered in Redis, the key-value database:

* CVE-2025-32023: An authenticated user may have used a
  specially-crafted string to trigger a stack/heap out-of-bounds
  write during hyperloglog operations, potentially leading to a
  remote code execution vulnerability. Installations that used Redis'
  ACL system to restrict hyperloglog HLL commands are unaffected by
  this issue.

* CVE-2025-48367: An unauthenticated connection could have caused
  repeated IP protocol errors, leading to client starvation and
  ultimately become a Denial of Service (DoS) attack.

For Debian 11 bullseye, these problems have been fixed in version
5:6.0.16-1+deb11u7.

We recommend that you upgrade your redis packages.

For the detailed security status of redis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/redis

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmhy1ioACgkQHpU+J9Qx
HlgK0Q/9FfGRaMS75d2vuTUN7vHVW9TKD2c3Pg9Rti0cH6uAZwfFv0K8YKx0mXMm
BzTsU1+dui99M3aG0djbNNXM8szsEtbgEZgj7SNLe+82u6tOMDPiAScjDh1ebSkw
UVMng820KWS2sctQP5utW6vq9FVfX85DIp/HHnz3MO6gQU1tb/MZuSArKwXzyUUa
AgDb5CzPG3H+dxbH696hJYp0JKKWJUM+E8GbfFK/7ICT/n/vuAR42as/pw96h+4r
KMOHXzD1ESdQcsQbj5DOV7DZSITT5Ttk+zlVHVgaQiK0j7LRxCuidcHwH94m/Gfw
z4/bmR7YcljSvKSAvoHWHsAr100u7DK2D76xabzjyamEyQEhfuJ5ssZX8tB7kH83
B5ij2DPRVN2nah00BIHlHor4m/66q0cD6DApEhfTQ6dc/PE2XAd3yJzJxTRXfrOu
K8TTdMTnmK47KuisCbZCdWUDwjpEXGWUcb1jpDAHAqapBY1bmkTxFK2nBEkaWw1x
9sdsVhdY7dHOYnLeq8gdLCQJUmTM43QDJxz6oNVjOuRYTs/qBNhsrFZns05VG+pa
K1iD+z2wnPc7gvOI/vL7LtvQIJADeIBzNlDCI3Y9/nfDLNTAXWcuk/XzB8jw2TCd
+avrrl2H8oXSrCTxo5qH83IhbqTvm56uht/+5XDz1zNdB2ImPfU=
=4CYM
-----END PGP SIGNATURE-----


Reply to: