Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2025-20121-1

Опубликовано: 27 нояб. 2025
Источник: suse-cvrf

Описание

Security update for redis

This update for redis fixes the following issues:

  • Updated to 8.2.3 (boo#1252996 CVE-2025-62507)

    • Security fixes
      • (CVE-2025-62507) Bug in XACKDEL may lead to stack overflow and potential RCE
    • Bug fixes
      • HGETEX: A missing numfields argument when FIELDS is used can lead to Redis crash
      • An overflow in HyperLogLog with 2GB+ entries may result in a Redis crash
      • Cuckoo filter - Division by zero in Cuckoo filter insertion
      • Cuckoo filter - Counter overflow
      • Bloom filter - Arbitrary memory read/write with invalid filter
      • Bloom filter - Out-of-bounds access with empty chain
      • Top-k - Out-of-bounds access
      • Bloom filter - Restore invalid filter [We thank AWS security for responsibly disclosing the security bug]

  • Updated to 8.2.2 (boo#1250995)

    • https://github.com/redis/redis/releases/tag/8.2.2
    • Fixed Lua script may lead to remote code execution (CVE-2025-49844).
    • Fixed Lua script may lead to integer overflow (CVE-2025-46817).
    • Fixed Lua script can be executed in the context of another user (CVE-2025-46818).
    • Fixed LUA out-of-bound read (CVE-2025-46819).
    • Fixed potential crash on Lua script or streams and HFE defrag.
    • Fixed potential crash when using ACL rules.
    • Added VSIM: new EPSILON argument to specify maximum distance.
    • Added SVS-VAMANA: allow use of BUILD_INTEL_SVS_OPT flag.
    • Added RESP3 serialization performance.
    • Added INFO SEARCH: new SVS-VAMANA metrics.

  • Updated to 8.2.1

    • Bug fixes
      • #14240 INFO KEYSIZES - potential incorrect histogram updates on cluster mode with modules
      • #14274 Disable Active Defrag during flushing replica
      • #14276 XADD or XTRIM can crash the server after loading RDB
      • #Q6601 Potential crash when running FLUSHDB (MOD-10681)
    • Performance and resource utilization
      • Query Engine - LeanVec and LVQ proprietary Intel optimizations were removed from Redis Open Source
      • #Q6621 Fix regression in INFO (MOD-10779)

Список пакетов

openSUSE Leap 16.0
redis-8.2.0-bp160.1.3

Ссылки

Описание

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.

Затронутые продукты
openSUSE Leap 16.0:redis-8.2.0-bp160.1.3
Ссылки

Описание

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

Затронутые продукты
openSUSE Leap 16.0:redis-8.2.0-bp160.1.3
Ссылки

Описание

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

Затронутые продукты
openSUSE Leap 16.0:redis-8.2.0-bp160.1.3
Ссылки

Описание

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Затронутые продукты
openSUSE Leap 16.0:redis-8.2.0-bp160.1.3
Ссылки

Описание

Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. This issue is fixed in version 8.2.3. To workaround this issue without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command.

Затронутые продукты
openSUSE Leap 16.0:redis-8.2.0-bp160.1.3
Ссылки
Уязвимость openSUSE-SU-2025-20121-1