Source: valkey
Version: 8.1.1+dfsg1-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/valkey-io/valkey/pull/2314
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for valkey.

CVE-2025-32023[0]:
| Redis is an open source, in-memory database that persists on disk.
| From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an
| authenticated user may use a specially crafted string to trigger a
| stack/heap out of bounds write on hyperloglog operations,
| potentially leading to remote code execution. The bug likely affects
| all Redis versions with hyperloglog operations implemented. This
| vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An
| additional workaround to mitigate the problem without patching the
| redis-server executable is to prevent users from executing
| hyperloglog operations. This can be done using ACL to restrict HLL
| commands.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-32023
https://www.cve.org/CVERecord?id=CVE-2025-32023
[1] https://github.com/valkey-io/valkey/pull/2314
[2] https://github.com/redis/redis/security/advisories/GHSA-rp2m-q4j6-gr43
[3] https://github.com/valkey-io/valkey/commit/20f5199d96baf0c64bd4e7d042b6274c4e773bcb

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)