2025-11-27 16:48:35 +01:00
2 changed files with 63 additions and 1 deletions
--- a/patchinfo.20251126120323268597.93181000773252/_patchinfo
+++ b/patchinfo.20251126120323268597.93181000773252/_patchinfo
@@ -0,0 +1,62 @@
+<patchinfo>
+  <issue tracker="cve" id="2025-46817">cve#2025-46817 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46817</issue>
+  <issue tracker="cve" id="2025-62507">cve#2025-62507 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-62507</issue>
+  <issue tracker="cve" id="2025-49844">cve#2025-49844 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-49844</issue>
+  <issue tracker="cve" id="2025-46818">cve#2025-46818 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46818</issue>
+  <issue tracker="bnc" id="1250995">VUL-0: CVE-2025-49844,CVE-2025-46817,CVE-2025-46818,CVE-2025-46819: valkey,redis,redis7: multiple LUA issues</issue>
+  <issue tracker="bnc" id="1252996">VUL-0: CVE-2025-62507: redis,redis7,valkey: XACKDEL - potential stack overflow and RCE</issue>
+  <issue tracker="cve" id="2025-46819">cve#2025-46819 not resolved: 404 Client Error: Not Found for url: https://bugzilla.suse.com/api2/issues/?references__name=CVE-2025-46819</issue>
+  <packager>ateixeira</packager>
+  <rating>critical</rating>
+  <category>security</category>
+  <summary>Security update for redis</summary>
+  <description>This update for redis fixes the following issues:
+
+- Updated to 8.2.3 (boo#1252996 CVE-2025-62507)
+  * https://github.com/redis/redis/releases/tag/8.2.3
+  - Security fixes
+    - (CVE-2025-62507) Bug in `XACKDEL` may lead to stack overflow
+      and potential RCE
+  - Bug fixes
+    - `HGETEX`: A missing `numfields` argument when `FIELDS` is
+      used can lead to Redis crash
+    - An overflow in `HyperLogLog` with 2GB+ entries may result in
+      a Redis crash
+    - Cuckoo filter - Division by zero in Cuckoo filter insertion
+    - Cuckoo filter - Counter overflow
+    - Bloom filter - Arbitrary memory read/write with invalid
+      filter
+    - Bloom filter - Out-of-bounds access with empty chain
+    - Top-k - Out-of-bounds access
+    - Bloom filter - Restore invalid filter [We thank AWS security
+      for responsibly disclosing the security bug]
+
+- Updated to 8.2.2 (boo#1250995)
+  * https://github.com/redis/redis/releases/tag/8.2.2
+  * Fixed Lua script may lead to remote code execution (CVE-2025-49844).
+  * Fixed Lua script may lead to integer overflow (CVE-2025-46817).
+  * Fixed Lua script can be executed in the context of another user
+    (CVE-2025-46818).
+  * Fixed LUA out-of-bound read (CVE-2025-46819).
+  * Fixed potential crash on Lua script or streams and HFE defrag.
+  * Fixed potential crash when using ACL rules.
+  * Added VSIM: new EPSILON argument to specify maximum distance.
+  * Added SVS-VAMANA: allow use of BUILD_INTEL_SVS_OPT flag.
+  * Added RESP3 serialization performance.
+  * Added INFO SEARCH: new SVS-VAMANA metrics.
+
+- Updated to 8.2.1
+  * https://github.com/redis/redis/releases/tag/8.2.1
+  - Bug fixes
+    * #14240 INFO KEYSIZES - potential incorrect histogram updates
+      on cluster mode with modules
+    * #14274 Disable Active Defrag during flushing replica
+    * #14276 XADD or XTRIM can crash the server after loading RDB
+    * #Q6601 Potential crash when running FLUSHDB (MOD-10681)
+  * Performance and resource utilization
+    * Query Engine - LeanVec and LVQ proprietary Intel
+      optimizations were removed from Redis Open Source
+    * #Q6621 Fix regression in INFO (MOD-10779)
+</description>
+  <package>redis</package>
+</patchinfo>
--- a/2
+++ b/2