Hi Lucas, On Mon, Mar 30, 2026 at 09:13:53AM -0300, Lucas Kanashiro wrote: > Hi, > > On Sun, Mar 29, 2026 at 3:35 PM Salvatore Bonaccorso <[email protected]> > wrote: > > > Hi Peter, hi Lucas, > > > > On Sun, Mar 29, 2026 at 12:45:18PM +0200, Peter Wienemann wrote: > > > Hi Salvatore, hi Lucas, > > > > > > On 2026-03-21 18:26:15, Peter Wienemann wrote: > > > > Hi Lucas, hi Salvatore, > > > > > > > > On 2026-03-15 21:01:46, Salvatore Bonaccorso wrote: > > > > > The following vulnerabilities were published for valkey. > > > > > > > > > > CVE-2025-67733[0]: > > > > > | Valkey is a distributed key-value database. Prior to versions > > 9.0.2, > > > > > | 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting > > > > > | commands to inject arbitrary information into the response stream > > > > > | for the given client, potentially corrupting or returning tampered > > > > > | data to other users on the same connection. The error handling code > > > > > | for lua scripts does not properly handle null characters. Versions > > > > > | 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. > > > > > > > > > > > > > > > CVE-2026-21863[1]: > > > > > | Valkey is a distributed key-value database. Prior to versions > > 9.0.2, > > > > > | 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the > > > > > | Valkey clusterbus port can send an invalid packet that may cause an > > > > > | out bound read, which might result in the system crashing. The > > > > > | Valkey clusterbus packet processing code does not validate that a > > > > > | clusterbus ping extension packet is located within buffer of the > > > > > | clusterbus packet before attempting to read it. Versions 9.0.2, > > > > > | 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional > > mitigation, > > > > > | don't expose the cluster bus connection directly to end users, and > > > > > | protect the connection with its own network ACLs. > > > > > > > > what are your plans concerning the above vulnerabilities? > > > > > > > > If you need a helping hand, I can prepare a debdiff for trixie. > > > > > > I went ahead and prepared a debdiff assuming you have a fix via > > > trixie-security in mind. Just let me know if you prefer to go via > > trixie-pu. > > > > > > Lucas, feel free to intervene if you prefer to take care of it yourself. > > > > > > The upstream patch for CVE-2026-21863 had to be backported. The > > difference > > > between the backport and the upstream version is due to this change > > > introduced by version 8.1.2: > > > > > > > > https://github.com/valkey-io/valkey/commit/0a3186ae1e338701ae1201c8dc08e4a463a5b647 > > > > > > So the difference is only in the neighbouring code. > > > > > > I checked that the CVE-2025-67733 exploit in [0] worked prior to the fix > > > and that it stopped working after applying the attached changes. > > > > > > Lucas, I prepared a debian/trixie branch which contains the > > > 8.1.1+dfsg1-3+deb13u1 changes introduced by Moritz some time ago and the > > > changes included in the attached debdiff. If you want me to push it to > > > salsa, just let me know. > > > > The CVE could be in scope for a DSA. Ideally we would want to not see > > an update missing in unstable, so we were basically waiting for Lucas > > to see if unstable gets fixed first (fwiw, I have filled now as well > > bugs for redis and redict, they should be affected equally, but > > correct me if you think I was wrong). > > > > I have added valkey to our dsa-needed list and we will come back to > > you after a review. > > > Sorry for the delay! > > I was trying to move to version 9.x in Debian unstable to fix this issue > but I haven't had the time to properly finish the update and test > everything properly. Maybe I should just backport the patch to fix this > issue instead of waiting for 9.x.
I have seen the unstable upload thanks a lot! The changes from Peter as suggested for trixie-security looks good to me, before ginving the go-ahead for upload to security-master if you can double-check/review that would be great. Regards, Salvatore
