Hi Peter, hi Lucas, On Sun, Mar 29, 2026 at 12:45:18PM +0200, Peter Wienemann wrote: > Hi Salvatore, hi Lucas, > > On 2026-03-21 18:26:15, Peter Wienemann wrote: > > Hi Lucas, hi Salvatore, > > > > On 2026-03-15 21:01:46, Salvatore Bonaccorso wrote: > > > The following vulnerabilities were published for valkey. > > > > > > CVE-2025-67733[0]: > > > | Valkey is a distributed key-value database. Prior to versions 9.0.2, > > > | 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting > > > | commands to inject arbitrary information into the response stream > > > | for the given client, potentially corrupting or returning tampered > > > | data to other users on the same connection. The error handling code > > > | for lua scripts does not properly handle null characters. Versions > > > | 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. > > > > > > > > > CVE-2026-21863[1]: > > > | Valkey is a distributed key-value database. Prior to versions 9.0.2, > > > | 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the > > > | Valkey clusterbus port can send an invalid packet that may cause an > > > | out bound read, which might result in the system crashing. The > > > | Valkey clusterbus packet processing code does not validate that a > > > | clusterbus ping extension packet is located within buffer of the > > > | clusterbus packet before attempting to read it. Versions 9.0.2, > > > | 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, > > > | don't expose the cluster bus connection directly to end users, and > > > | protect the connection with its own network ACLs. > > > > what are your plans concerning the above vulnerabilities? > > > > If you need a helping hand, I can prepare a debdiff for trixie. > > I went ahead and prepared a debdiff assuming you have a fix via > trixie-security in mind. Just let me know if you prefer to go via trixie-pu. > > Lucas, feel free to intervene if you prefer to take care of it yourself. > > The upstream patch for CVE-2026-21863 had to be backported. The difference > between the backport and the upstream version is due to this change > introduced by version 8.1.2: > > https://github.com/valkey-io/valkey/commit/0a3186ae1e338701ae1201c8dc08e4a463a5b647 > > So the difference is only in the neighbouring code. > > I checked that the CVE-2025-67733 exploit in [0] worked prior to the fix > and that it stopped working after applying the attached changes. > > Lucas, I prepared a debian/trixie branch which contains the > 8.1.1+dfsg1-3+deb13u1 changes introduced by Moritz some time ago and the > changes included in the attached debdiff. If you want me to push it to > salsa, just let me know.
The CVE could be in scope for a DSA. Ideally we would want to not see an update missing in unstable, so we were basically waiting for Lucas to see if unstable gets fixed first (fwiw, I have filled now as well bugs for redis and redict, they should be affected equally, but correct me if you think I was wrong). I have added valkey to our dsa-needed list and we will come back to you after a review. Regards, Salvatore
