[SECURITY] [DSA 6279-1] redis security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 6279-1] redis security update
From: Aron Xu <aron@debian.org>
Date: Sun, 17 May 2026 09:36:20 +0000
Message-id: <[🔎] E1wOXv2-00000002zgs-43Ka@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6279-1                   security@debian.org
https://www.debian.org/security/                                  Aron Xu
May 17, 2026                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : redis
CVE ID         : CVE-2025-67733 CVE-2026-21863
Debian Bug     : 

Brief introduction 

CVE-2025-67733

    A flaw in the Lua scripting error path allowed an authenticated user
    to embed CR/LF byte sequences in an error reply produced via
    redis.error_reply() or the Lua error() function. Because RESP uses
    CRLF as a frame delimiter, an injected sequence could be interpreted
    by the client as the start of an unrelated reply, allowing an
    attacker to inject arbitrary content into the response stream and
    tamper with data read by other commands on the same connection.

CVE-2026-21863

    The cluster bus packet validation in clusterProcessPacket() did not
    verify that the gossip-section count and per-extension header
    declared by an incoming PING, PONG or MEET message actually fit
    within the received packet. A peer with access to the cluster bus
    port could send a specially crafted message whose declared lengths
    exceed the packet size, causing the server to read out of bounds and
    potentially crash, resulting in a denial of service.

For the oldstable distribution (bookworm), these problems have been fixed
in version 5:7.0.15-1~deb12u7.

For the stable distribution (trixie), these problems have been fixed in
version 8.0.2-3+deb13u2.

We recommend that you upgrade your redis packages.

For the detailed security status of redis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/redis

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEExq6D0hxncEPaPayX+GQ1dHE8m64FAmoJitkACgkQ+GQ1dHE8
m67IVQf+NSQGJC3uVfMscqsaU8VglaUVUxrvFLxUQzKJqZ2MoLXGayeB8L8DPSNH
MHim/xPC2B8113ovImO6NPkiLE1k7NOUu1M6ieDoKK5wvZwA57j4QOo49I74kEhA
JcWN6+Ri0cn9rdfMWN5sMMByqS1c4+i6rf/9Iibc1YRpgXg17Gc1ge2fDjxjtF+3
kyWLn9pxobNyrx1XB8l7yZpzfbM42uBUARDyD7rPZ/zfEJaAlauAFgdgr9W1lMUW
R7UZsBV4EFs27+ZJFzjwPNDvMMduiT2EsIt+nmKo7Uuot1rXf9hOY2O8KqZmFY8U
ZKl92oZE20MsKODbMp5+MYiuTGNljw==
=spQm
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 6278-1] nginx security update
Next by Date: [SECURITY] [DSA 62801] netatalk security update
Previous by thread: [SECURITY] [DSA 6278-1] nginx security update
Next by thread: [SECURITY] [DSA 62801] netatalk security update
Index(es):
- Date
- Thread