redis:6 security update
エラータID: AXSA:2025-9955:01
リリース日:
2025/05/21 Wednesday - 17:02
題名:
redis:6 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Redis には、出力バッファとして確保するメモリ領域のサイズを制限
していない問題があるため、リモートの攻撃者により、パスワード認証
が有効化されたサーバーに対してパスワードを入力しないように細工した
認証の要求を行うことを介して、サービス拒否攻撃 (リソース枯渇)
を可能とする脆弱性が存在します。(CVE-2025-21605)
Modularity name: redis
Stream name: 6
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-21605
Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.
Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.
追加情報:
N/A
ダウンロード:
SRPMS
- redis-6.2.18-1.module+el8+1873+c55729ea.src.rpm
MD5: 9a55d9e2a6aa01371e16c21e1619c52e
SHA-256: 95a63b0be0676f80d0a70a60d80beb8ab8ac5dbafd1d71c8f88f4a1f7dad2eb3
Size: 2.98 MB
Asianux Server 8 for x86_64
- redis-6.2.18-1.module+el8+1873+c55729ea.x86_64.rpm
MD5: a1b42f30803140bc522ccd7bc89d2836
SHA-256: f9cd8ed9c4111b3b0675889ebea4b226e552883d74a895b826c99119faa6738e
Size: 1.17 MB - redis-debugsource-6.2.18-1.module+el8+1873+c55729ea.x86_64.rpm
MD5: b7782ceae20a0e434a9c7887088f385e
SHA-256: ce6af1163bfaafcbb0ab4adef36d19f3f01382dfae3dc1ea2d037b20cf0d4a7d
Size: 1.34 MB - redis-devel-6.2.18-1.module+el8+1873+c55729ea.x86_64.rpm
MD5: 946676c10b3a9dc4c933c7226958fd46
SHA-256: 3043a291b5c8504721232f8b60ac6de6118257be788b3bea0f23ac52cba19f9d
Size: 30.18 kB - redis-doc-6.2.18-1.module+el8+1873+c55729ea.noarch.rpm
MD5: ceff52bf263232c39fa64df9a78d6eb6
SHA-256: 75bd69506c214b942df068812725b23d1fd352790893489db9852ba643322bfc
Size: 492.23 kB
English