redis-6.2.20-2.el9_7
エラータID: AXSA:2025-11473:05
Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.
Security Fix(es):
* redis: Lua library commands may lead to integer overflow and potential RCE (CVE-2025-46817)
* Redis: Redis: Authenticated users can execute LUA scripts as a different user (CVE-2025-46818)
* Redis: Redis is vulnerable to DoS via specially crafted LUA scripts (CVE-2025-46819)
* Redis: Redis Lua Use-After-Free may lead to remote code execution (CVE-2025-49844)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2025-46817
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
CVE-2025-46818
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
CVE-2025-46819
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
CVE-2025-49844
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Update packages.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
N/A
SRPMS
- redis-6.2.20-2.el9_7.src.rpm
MD5: 46936eb81fa2c78b8f94089d7f126747
SHA-256: f0a9a2f652eb6dc2a1ae56f2c3d96800e4f25dba6648852323f1854d145b6aa7
Size: 3.01 MB
Asianux Server 9 for x86_64
- redis-6.2.20-2.el9_7.x86_64.rpm
MD5: 7f831623d2674ef50f0da862fb22a1f3
SHA-256: f9a52e0803e8598703c185f8c4856b24a37c97e2ae1b0cef73257e765102ab25
Size: 1.30 MB - redis-devel-6.2.20-2.el9_7.i686.rpm
MD5: fa95ac0057330ee37c87f8233b4468b6
SHA-256: f452a9c13f732b992c819927d8a16cb9066f257a709349072032436fe220fab6
Size: 19.03 kB - redis-devel-6.2.20-2.el9_7.x86_64.rpm
MD5: 171f0ebc384f688dbb16f4cd4eb9396b
SHA-256: a800e3be8a793c32079cc33998ba8a063bcf1d82fa7a4a1ebfb2c85c34ebe766
Size: 19.01 kB - redis-doc-6.2.20-2.el9_7.noarch.rpm
MD5: f180585af1dbc1c1c3937d153a12db81
SHA-256: 220e11b489f05bd2e58d15ee5c5db9c2a03111a947e08816587608e9da01d376
Size: 549.36 kB
日本語