diff --git a/patchinfo.20251126120323268597.93181000773252/_patchinfo b/patchinfo.20251126120323268597.93181000773252/_patchinfo new file mode 100644 index 0000000..92f6cc7 --- /dev/null +++ b/patchinfo.20251126120323268597.93181000773252/_patchinfo @@ -0,0 +1,62 @@ + + cve#2025-46817 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46817 + cve#2025-62507 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-62507 + cve#2025-49844 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-49844 + cve#2025-46818 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46818 + VUL-0: CVE-2025-49844,CVE-2025-46817,CVE-2025-46818,CVE-2025-46819: valkey,redis,redis7: multiple LUA issues + VUL-0: CVE-2025-62507: redis,redis7,valkey: XACKDEL - potential stack overflow and RCE + cve#2025-46819 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46819 + ateixeira + critical + security + Security update for redis + This update for redis fixes the following issues: + +- Updated to 8.2.3 (boo#1252996 CVE-2025-62507) + * https://github.com/redis/redis/releases/tag/8.2.3 + - Security fixes + - (CVE-2025-62507) Bug in `XACKDEL` may lead to stack overflow + and potential RCE + - Bug fixes + - `HGETEX`: A missing `numfields` argument when `FIELDS` is + used can lead to Redis crash + - An overflow in `HyperLogLog` with 2GB+ entries may result in + a Redis crash + - Cuckoo filter - Division by zero in Cuckoo filter insertion + - Cuckoo filter - Counter overflow + - Bloom filter - Arbitrary memory read/write with invalid + filter + - Bloom filter - Out-of-bounds access with empty chain + - Top-k - Out-of-bounds access + - Bloom filter - Restore invalid filter [We thank AWS security + for responsibly disclosing the security bug] + +- Updated to 8.2.2 (boo#1250995) + * https://github.com/redis/redis/releases/tag/8.2.2 + * Fixed Lua script may lead to remote code execution (CVE-2025-49844). + * Fixed Lua script may lead to integer overflow (CVE-2025-46817). + * Fixed Lua script can be executed in the context of another user + (CVE-2025-46818). + * Fixed LUA out-of-bound read (CVE-2025-46819). + * Fixed potential crash on Lua script or streams and HFE defrag. + * Fixed potential crash when using ACL rules. + * Added VSIM: new EPSILON argument to specify maximum distance. + * Added SVS-VAMANA: allow use of BUILD_INTEL_SVS_OPT flag. + * Added RESP3 serialization performance. + * Added INFO SEARCH: new SVS-VAMANA metrics. + +- Updated to 8.2.1 + * https://github.com/redis/redis/releases/tag/8.2.1 + - Bug fixes + * #14240 INFO KEYSIZES - potential incorrect histogram updates + on cluster mode with modules + * #14274 Disable Active Defrag during flushing replica + * #14276 XADD or XTRIM can crash the server after loading RDB + * #Q6601 Potential crash when running FLUSHDB (MOD-10681) + * Performance and resource utilization + * Query Engine - LeanVec and LVQ proprietary Intel + optimizations were removed from Redis Open Source + * #Q6621 Fix regression in INFO (MOD-10779) + + redis + diff --git a/redis b/redis index 17306a0..b68befe 160000 --- a/redis +++ b/redis @@ -1 +1 @@ -Subproject commit 17306a0a532803d605ecb04f7a061b7b96020b33029d9c1e328c747dc84f160f +Subproject commit b68befea6b91488a763c0a7fe0a9a825fa4e01006261b48928de69eb9e6c74f2