** Description changed: + [Impact] + + Various bugs exist in the current Ubuntu version of Valkey in Noble and + Oracular, including 3 CVEs. They are + + (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE. + (CVE-2024-31227) Potential Denial-of-service due to malformed ACL selectors. + (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching. + + The other bugs listed upstream are: + + https://github.com/valkey-io/valkey/pull/1001 + https://github.com/valkey-io/valkey/pull/965 + https://github.com/valkey-io/valkey/pull/608 + https://github.com/valkey-io/valkey/pull/526 + https://github.com/valkey-io/valkey/issues/784 + https://github.com/valkey-io/valkey/issues/619 + https://github.com/valkey-io/valkey/pull/634 + https://github.com/valkey-io/valkey/pull/461 + https://github.com/valkey-io/valkey/issues/719 + + These fixes should be added to the stable release to avoid known + security vulnerabilities. + + Ideally, these fixes should be added by updating to 7.2.7, the latest + stable release of 7.x. Upstream takes care to avoid backwards + incompatible changes in this stable release set and matching their + version would best match user expectations. + + [Test Plan] + + Initial testing should include making sure dep-8 tests all pass. This + package includes a large suite of tests that check various runtime + configurations and redis compatibility. + + The fix for CVE-2024-31449 can also be tested with: + + $ sudo apt install valkey-server lua5.4 + $ valkey-cli eval "return bit.tohex(65535, -2147483648)" 0 + + Before the fix, the following prints: + Error: Server closed the connection + + After, it returns: + "0000FFFF" + + [Where problems could occur] + + As this is a full version backport, backwards-incompatible changes may + arise from the various changes included. I have mitigated this by + checking each individual commit and have noted any minor updates in the + changelog entry. + + [Other Info] + + Oracular and Noble will differ from Plucky as they will remain on the 7.2.x version track while plucky is on 8.x. + + [Original Description] + Valkey should be updated from 7.2.5 to 7.2.7 in noble to fix the following security issues and other bugs: - (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE. (CVE-2024-31227) Potential Denial-of-service due to malformed ACL selectors. (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching. https://github.com/valkey-io/valkey/pull/1001 https://github.com/valkey-io/valkey/pull/965 https://github.com/valkey-io/valkey/pull/608 https://github.com/valkey-io/valkey/pull/526 https://github.com/valkey-io/valkey/issues/784 https://github.com/valkey-io/valkey/issues/619 https://github.com/valkey-io/valkey/pull/634 https://github.com/valkey-io/valkey/pull/461 https://github.com/valkey-io/valkey/issues/719
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091129 Title: Update Valkey to 7.2.7 in noble and oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/valkey/+bug/2091129/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
