redis:7 security update
エラータID: AXSA:2025-10499:03
Release date:
Wednesday, July 16, 2025 - 21:51
Subject:
redis:7 security update
Affected Channels:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
[security - high] redis:7 security update
For detailed information on changes in this release, see MIRACLE LINUX 9 Release
Notes linked from the References section.
CVE(s):
CVE-2025-21605
Solution:
Update packages.
CVEs:
CVE-2025-21605
Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.
Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.
Additional Info:
N/A
Download:
SRPMS
- redis-7.2.8-1.module+el9+1095+12a5d178.src.rpm
MD5: aa5a41916ec9d384281c27855e1222c5
SHA-256: fd0b3c457e2141662f1eea525c406a7a2b9d135d7c6d53509126629e70e85fe5
Size: 4.44 MB
Asianux Server 9 for x86_64
- redis-7.2.8-1.module+el9+1095+12a5d178.x86_64.rpm
MD5: bbc055c3fd09a5238eeedbc5284ff75d
SHA-256: 631e7388f4b67f59f860fffc5ef3c462e5e4b98cbb8190c73d768228f61b8a99
Size: 1.63 MB - redis-debugsource-7.2.8-1.module+el9+1095+12a5d178.x86_64.rpm
MD5: 23ad96b6ed4aea19d05b7ec64d9ee4d2
SHA-256: 60c09fc1745084637ce70735995acb49bb1a07a383477eee0ebf20af07d67d52
Size: 1.54 MB - redis-devel-7.2.8-1.module+el9+1095+12a5d178.x86_64.rpm
MD5: 8ffc8983f9a0afeed780ec23e9da9a19
SHA-256: cccca4cd15ab41eede13b19c533137ae75816def6b829453ec1828f307ff7939
Size: 23.86 kB - redis-doc-7.2.8-1.module+el9+1095+12a5d178.noarch.rpm
MD5: 8de105e463f31f5274c70e70e550969a
SHA-256: 9a685d1bcd80538ffc001c213eedd6c75802851d75ced6def41783fef59f0721
Size: 639.36 kB
日本語