Public bug reported:
[Impact]
The most recent upstream version for all supported upstream releases of
Valkey contain fixes for 3 CVEs:
(CVE-2026-23479) Use-After-Free in unblock client flow
(CVE-2026-25243) Invalid Memory Access in RESTORE command
(CVE-2026-23631) Use-after-free when full sync occurs during a yielding
Lua/function execution
These fixes should be added to the stable releases to avoid known
security vulnerabilities.
Ideally, these fixes should be added by updating to 7.2.13, the latest
stable release of 7.x, 8.1.7 as the latest of 8.1.x, and 9.0.4 as the
latest of 9.0.x. Upstream takes care to avoid backwards incompatible
changes in this stable release set and matching their version would best
match user expectations.
Note that valkey is supported in main in resolute, so the security team
might release the fixes first there.
[Test Plan]
Initial testing should include making sure dep-8 tests all pass. This
package includes a large suite of tests that check various runtime
configurations and redis compatibility.
[Where problems could occur]
Problems would most likely occur due to backwards-incompatible changes
brought in by one of the 3 CVE fixes, likely through memory management
changes or lua stack updates.
[Other Info]
This release should be sent to both -updates and -security to provide
all relevant users with the fixes
Previous Backports:
(LP: #2097546)
(LP: #2091129)
(LP: #2115258)
(LP: #2127122)
** Affects: valkey (Ubuntu)
Importance: Undecided
Assignee: Lena Voytek (lvoytek)
Status: In Progress
** Affects: valkey (Ubuntu Noble)
Importance: Undecided
Assignee: Lena Voytek (lvoytek)
Status: New
** Affects: valkey (Ubuntu Questing)
Importance: Undecided
Assignee: Lena Voytek (lvoytek)
Status: New
** Affects: valkey (Ubuntu Resolute)
Importance: Undecided
Assignee: Lena Voytek (lvoytek)
Status: New
** Affects: valkey (Ubuntu Stonking)
Importance: Undecided
Assignee: Lena Voytek (lvoytek)
Status: In Progress
** Tags: server-todo
** Also affects: valkey (Ubuntu Resolute)
Importance: Undecided
Status: New
** Also affects: valkey (Ubuntu Stonking)
Importance: Undecided
Assignee: Lena Voytek (lvoytek)
Status: New
** Also affects: valkey (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: valkey (Ubuntu Questing)
Importance: Undecided
Status: New
** Changed in: valkey (Ubuntu Noble)
Assignee: (unassigned) => Lena Voytek (lvoytek)
** Changed in: valkey (Ubuntu Questing)
Assignee: (unassigned) => Lena Voytek (lvoytek)
** Changed in: valkey (Ubuntu Resolute)
Assignee: (unassigned) => Lena Voytek (lvoytek)
** Tags added: server-todo
** Changed in: valkey (Ubuntu Stonking)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2151296
Title:
Update Valkey to 7.2.13 in noble, 8.1.7 in questing, and 9.0.4 in
resolute and stonking
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/valkey/+bug/2151296/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
