This bug was fixed in the package valkey - 9.0.3-0ubuntu1
---------------
valkey (9.0.3-0ubuntu1) resolute; urgency=medium
* New upstream version 9.0.3 (LP: #2142590)
- Security fixes:
+ CVE-2025-67733: RESP Protocol Injection via Lua error_reply.
+ CVE-2026-21863: Remote DoS with malformed Valkey Cluster bus message.
+ CVE-2026-27623: Reset request type after handling empty requests.
- Bug fixes:
+ Avoid crash during MODULE UNLOAD when ACL rules reference a module
command and subcommand.
+ Fix server assert on ACL LOAD when current user loses permission to
channels.
+ Fix bug causing no response flush sometimes when IO threads are busy.
-- Lena Voytek <[email protected]> Tue, 24 Feb 2026 08:20:13
-0500
** Changed in: valkey (Ubuntu Resolute)
Status: In Progress => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2025-67733
** CVE added: https://cve.org/CVERecord?id=CVE-2026-21863
** CVE added: https://cve.org/CVERecord?id=CVE-2026-27623
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142590
Title:
Update Valkey to 7.2.12 in noble, 8.1.6 in questing, and 9.0.3 in
resolute
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/valkey/+bug/2142590/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
