Hi, On Sun, Mar 29, 2026 at 3:35 PM Salvatore Bonaccorso <[email protected]> wrote:
> Hi Peter, hi Lucas, > > On Sun, Mar 29, 2026 at 12:45:18PM +0200, Peter Wienemann wrote: > > Hi Salvatore, hi Lucas, > > > > On 2026-03-21 18:26:15, Peter Wienemann wrote: > > > Hi Lucas, hi Salvatore, > > > > > > On 2026-03-15 21:01:46, Salvatore Bonaccorso wrote: > > > > The following vulnerabilities were published for valkey. > > > > > > > > CVE-2025-67733[0]: > > > > | Valkey is a distributed key-value database. Prior to versions > 9.0.2, > > > > | 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting > > > > | commands to inject arbitrary information into the response stream > > > > | for the given client, potentially corrupting or returning tampered > > > > | data to other users on the same connection. The error handling code > > > > | for lua scripts does not properly handle null characters. Versions > > > > | 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. > > > > > > > > > > > > CVE-2026-21863[1]: > > > > | Valkey is a distributed key-value database. Prior to versions > 9.0.2, > > > > | 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the > > > > | Valkey clusterbus port can send an invalid packet that may cause an > > > > | out bound read, which might result in the system crashing. The > > > > | Valkey clusterbus packet processing code does not validate that a > > > > | clusterbus ping extension packet is located within buffer of the > > > > | clusterbus packet before attempting to read it. Versions 9.0.2, > > > > | 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional > mitigation, > > > > | don't expose the cluster bus connection directly to end users, and > > > > | protect the connection with its own network ACLs. > > > > > > what are your plans concerning the above vulnerabilities? > > > > > > If you need a helping hand, I can prepare a debdiff for trixie. > > > > I went ahead and prepared a debdiff assuming you have a fix via > > trixie-security in mind. Just let me know if you prefer to go via > trixie-pu. > > > > Lucas, feel free to intervene if you prefer to take care of it yourself. > > > > The upstream patch for CVE-2026-21863 had to be backported. The > difference > > between the backport and the upstream version is due to this change > > introduced by version 8.1.2: > > > > > https://github.com/valkey-io/valkey/commit/0a3186ae1e338701ae1201c8dc08e4a463a5b647 > > > > So the difference is only in the neighbouring code. > > > > I checked that the CVE-2025-67733 exploit in [0] worked prior to the fix > > and that it stopped working after applying the attached changes. > > > > Lucas, I prepared a debian/trixie branch which contains the > > 8.1.1+dfsg1-3+deb13u1 changes introduced by Moritz some time ago and the > > changes included in the attached debdiff. If you want me to push it to > > salsa, just let me know. > > The CVE could be in scope for a DSA. Ideally we would want to not see > an update missing in unstable, so we were basically waiting for Lucas > to see if unstable gets fixed first (fwiw, I have filled now as well > bugs for redis and redict, they should be affected equally, but > correct me if you think I was wrong). > > I have added valkey to our dsa-needed list and we will come back to > you after a review. Sorry for the delay! I was trying to move to version 9.x in Debian unstable to fix this issue but I haven't had the time to properly finish the update and test everything properly. Maybe I should just backport the patch to fix this issue instead of waiting for 9.x. Peter, Thanks for the patch anyway, I will review it and try to use it also in unstable to unblock this security update. Since you seem to care enough about valkey, I am also welcoming co-maintainers to help with it :) Cheers! Lucas Kanashiro
