Your message dated Mon, 28 Apr 2025 21:20:51 +0000
with message-id <e1u9vuf-004psm...@fasolo.debian.org>
and subject line Bug#1104012: fixed in valkey 8.1.1+dfsg1-1
has caused the Debian Bug report #1104012,
regarding valkey: CVE-2025-21605
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1104012: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104012
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: valkey
Version: 8.0.2+dfsg1-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/valkey-io/valkey/pull/1994
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for valkey.
CVE-2025-21605[0]:
| Redis is an open source, in-memory database that persists on disk.
| In versions starting at 2.6 and prior to 7.4.3, An unauthenticated
| client can cause unlimited growth of output buffers, until the
| server runs out of memory or is killed. By default, the Redis
| configuration does not limit the output buffer of normal clients
| (see client-output-buffer-limit). Therefore, the output buffer can
| grow unlimitedly over time. As a result, the service is exhausted
| and the memory is unavailable. When password authentication is
| enabled on the Redis server, but no password is provided, the client
| can still cause the output buffer to grow from "NOAUTH" responses
| until the system will run out of memory. This issue has been patched
| in version 7.4.3. An additional workaround to mitigate this problem
| without patching the redis-server executable is to block access to
| prevent unauthenticated users from connecting to Redis. This can be
| done in different ways. Either using network access control tools
| like firewalls, iptables, security groups, etc, or enabling TLS and
| requiring users to authenticate using client side certificates.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-21605
https://www.cve.org/CVERecord?id=CVE-2025-21605
[1] https://github.com/valkey-io/valkey/pull/1994
[2]
https://github.com/valkey-io/valkey/commit/fff628e0f52df0c59eb8543e96de9ef27fa9c2fc
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: valkey
Source-Version: 8.1.1+dfsg1-1
Done: Lucas Kanashiro <kanash...@debian.org>
We believe that the bug you reported is fixed in the latest version of
valkey, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1104...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lucas Kanashiro <kanash...@debian.org> (supplier of updated valkey package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 28 Apr 2025 15:49:27 -0300
Source: valkey
Architecture: source
Version: 8.1.1+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Lucas Kanashiro <kanash...@debian.org>
Changed-By: Lucas Kanashiro <kanash...@debian.org>
Closes: 1104012
Changes:
valkey (8.1.1+dfsg1-1) unstable; urgency=medium
.
* New upstream release.
+ Fix CVE-2025-21605 (Closes: #1104012)
* Refresh patches
* Declare compliance with Debian Policy 4.7.2
Checksums-Sha1:
46e1fd8dd0ec3775e56b49e0ab379e843477aa5f 2243 valkey_8.1.1+dfsg1-1.dsc
40f52feab50d74dc579abf6702429bbd080dce39 2726128 valkey_8.1.1+dfsg1.orig.tar.xz
0f78bd56be1b0c4b5ba44b2b820fa8a90fad8afd 16528
valkey_8.1.1+dfsg1-1.debian.tar.xz
06fc559c48e2febbe7edc2abd9af7783ade289e2 5849
valkey_8.1.1+dfsg1-1_source.buildinfo
Checksums-Sha256:
269b7daf7b87dfa79cf9b731a0fd07052beef2e4a098d78d03e5e7d81f231b1e 2243
valkey_8.1.1+dfsg1-1.dsc
d9bbd82eecb82f359e649a0007ad3dc1b47cc15afa626348ca86b73c4ae2c7ee 2726128
valkey_8.1.1+dfsg1.orig.tar.xz
fcd7449159ad4e2e74b5b3bae6cfd63675603fa56d4eba092182f9fe0d558e64 16528
valkey_8.1.1+dfsg1-1.debian.tar.xz
8ed34c2b987bfb10193e53e681ebeed1c0f047302da7e46b1f2b5caa22ed5799 5849
valkey_8.1.1+dfsg1-1_source.buildinfo
Files:
ef2ee8b1076a21b330ff2e25b87a8eac 2243 database optional
valkey_8.1.1+dfsg1-1.dsc
3ec2c18e27d75a0736caa812c2718c41 2726128 database optional
valkey_8.1.1+dfsg1.orig.tar.xz
cc41c71f0fd6fe6d9dfbbed54a22505b 16528 database optional
valkey_8.1.1+dfsg1-1.debian.tar.xz
4a58f81b5f7f58b56818fbddab9c7564 5849 database optional
valkey_8.1.1+dfsg1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmgP61sVHGthbmFzaGly
b0BkZWJpYW4ub3JnAAoJEPgjonKYg8l8XXkQAJtnVB8PUvPZQVMHXZ6Lw1/qR38W
iBPn6j/wT0pbxvzhof3LDgfEYtOfxNeP+9njfN99I+5safX0qKbtXBGmg0zceB+R
+eX60QLHQ/n8k7ybmfpLsDiE0J7mKb56gZaap4TitrDeQXNWMDCxI2UaWwPH6dwv
azHB5e75pdeU3MG/EVFMDZDUJByqNsoyt6zZQK6RKrERbD0Kg+VsKnlBIgETnmSE
xidOSZSNCJhZSgxbNbWjugttPdygaDuojea70URS/MvroRFCAfiyvWUKeokJ8uzU
Izi9p1um22qWw0CCPWphbGQpSQHt/6XXx40FJ2/9Ou5WqGL89AU39etfCvW2nHi6
4eTQndv98xL3zMW51hcTbd7kJVZGWwjoF+virtn/2QIAiNYaYa8RhUUeh7984ak+
q6BauE1JdhNNpQ8Yu3q0NkGpPCGdhkE7ZsF+hCnbLXQl8hTEIqBCeRDx2kp4VyhI
oP05JpEqOYoQBDsJKTZlpz61bqpjgWY0HjHwUy7yBZVEH4jR9hjJvdZokPdyibvn
cqenqXVsPH2J+K3rxEH1r9DRVZjd3jxocE2jNcvoT66pVBmTT41xOOzIcJieggvE
+AfRRkpctPpmFfRWP8MPLsDpB59M6vluhzkKI0ywDNk1hLYLm9f0SfOD9z+nUWc4
+VTBVhlVT2czuSUj
=xVS2
-----END PGP SIGNATURE-----
pgplXqs8xAejQ.pgp
Description: PGP signature
--- End Message ---
