redis-6.2.18-1.el9_6
エラータID: AXSA:2025-10201:02
リリース日:
2025/06/30 Monday - 15:48
題名:
redis-6.2.18-1.el9_6
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Redis には、出力バッファとして確保するメモリ領域のサイズを制限
していない問題があるため、リモートの攻撃者により、パスワード認証
が有効化されたサーバーに対してパスワードを入力しないように細工した
認証の要求を行うことを介して、サービス拒否攻撃 (リソース枯渇)
を可能とする脆弱性が存在します。(CVE-2025-21605)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-21605
Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.
Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.
追加情報:
N/A
ダウンロード:
SRPMS
- redis-6.2.18-1.el9_6.src.rpm
MD5: f0e4da492408cdcfb3d502d38e3f1b4f
SHA-256: ae0bd79392e9b4765793007519daf91b0ffb8685cd9032bc200e0dcb0b6415c7
Size: 3.01 MB
Asianux Server 9 for x86_64
- redis-6.2.18-1.el9_6.x86_64.rpm
MD5: 5806c92e9cfd10de419f49d9d8a4e8cd
SHA-256: 6ba5203d75dd668486e19a954cfdb049a3f5a7ca4a22451e5c6cbc74be42e6d1
Size: 1.30 MB - redis-devel-6.2.18-1.el9_6.i686.rpm
MD5: 1213a4d5672dc4e0483d100d0537df99
SHA-256: 5664f4e7dc017f77f7daf7ab6150b3ae644526271cda1a31d913f81bcd001cc2
Size: 18.71 kB - redis-devel-6.2.18-1.el9_6.x86_64.rpm
MD5: 4f75ccf28bb825a7aee41f64b8502e7a
SHA-256: ba4dee1c3e4640cd4aa46b05cb17a6e1ee34854acfd7438f710343cc39bd81dc
Size: 18.68 kB - redis-doc-6.2.18-1.el9_6.noarch.rpm
MD5: 35a48932444afbd2ebf04411b91ae8eb
SHA-256: 46d06830fd18285cc4deda3f294bbf2a58710230bdc01947dae48afe294ee1b4
Size: 548.79 kB
English