redis:7 security update

エラータID: AXSA:2025-10675:01

リリース日: 
2025/08/01 Friday - 22:08
題名: 
redis:7 security update
影響のあるチャネル: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.

Security Fix(es):

* redis: Redis Stack Buffer Overflow (CVE-2025-27151)
* redis: Redis Unauthenticated Denial of Service (CVE-2025-48367)
* redis: Redis Hyperloglog Out-of-Bounds Write Vulnerability (CVE-2025-32023)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-27151
Redis is an open source, in-memory database that persists on disk. In versions starting from 7.0.0 to before 8.0.2, a stack-based buffer overflow exists in redis-check-aof due to the use of memcpy with strlen(filepath) when copying a user-supplied file path into a fixed-size stack buffer. This allows an attacker to overflow the stack and potentially achieve code execution. This issue has been patched in version 8.0.2.
CVE-2025-32023
Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.
CVE-2025-48367
Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.

Modularity name: "redis"
Stream name: "7"

解決策: 

Update packages.

CVE: 
CVE-2025-27151
Redis is an open source, in-memory database that persists on disk. In versions starting from 7.0.0 to before 8.0.2, a stack-based buffer overflow exists in redis-check-aof due to the use of memcpy with strlen(filepath) when copying a user-supplied file path into a fixed-size stack buffer. This allows an attacker to overflow the stack and potentially achieve code execution. This issue has been patched in version 8.0.2.
CVE-2025-32023
Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.
CVE-2025-48367
Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. redis-7.2.10-1.module+el9+1099+6bc2fee2.src.rpm
    MD5: 5c2574e17903ad9f39c40c0067a0c277
    SHA-256: ae34967ca73a354f6c16d7c3e43a5a47cbee4a94a804ae11e4caba7f5670d62f
    Size: 4.44 MB

Asianux Server 9 for x86_64
  1. redis-7.2.10-1.module+el9+1099+6bc2fee2.x86_64.rpm
    MD5: cfe2530a77c3df69390d00e2e71a3313
    SHA-256: 71fbfa9c1633d37866957756e3cef566c0a0f396f136e1f5eeed1a011b7ec394
    Size: 1.64 MB
  2. redis-debugsource-7.2.10-1.module+el9+1099+6bc2fee2.x86_64.rpm
    MD5: 1ffd63c94c29526759f514058977f1c1
    SHA-256: 12faafa75b124f9ce9c77e4bc05636b0f1f5c6be893b00644d6116fdb30482e6
    Size: 1.54 MB
  3. redis-devel-7.2.10-1.module+el9+1099+6bc2fee2.x86_64.rpm
    MD5: 01a6fbabfa59701d1336b469a7952333
    SHA-256: 4b2e3b823ae70772d4fbfe75b1a1013130638bfb2448ea487e958658e27280ab
    Size: 23.81 kB
  4. redis-doc-7.2.10-1.module+el9+1099+6bc2fee2.noarch.rpm
    MD5: eb9e6d6eb17f0e3eb9d4097ef10d780b
    SHA-256: f4cd5b2489487d7e14e108438f06b200dd223da87986d2dadc56ef7a30f67762
    Size: 639.56 kB