redis-6.2.20-1.el9_6
エラータID: AXSA:2025-11005:04
Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.
Security Fix(es):
* redis: Lua library commands may lead to integer overflow and potential RCE (CVE-2025-46817)
* Redis: Redis: Authenticated users can execute LUA scripts as a different user (CVE-2025-46818)
* Redis: Redis is vulnerable to DoS via specially crafted LUA scripts (CVE-2025-46819)
* Redis: Redis Lua Use-After-Free may lead to remote code execution (CVE-2025-49844)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2025-46817
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
CVE-2025-46818
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
CVE-2025-46819
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
CVE-2025-49844
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Update packages.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
N/A
SRPMS
- redis-6.2.20-1.el9_6.src.rpm
MD5: 79011d6949360fbaf231201cc7b585f6
SHA-256: a8d890c8c31c11c7c838a72a863543be90c9608cec7fa0b61ae7c0dda5e4ca3e
Size: 3.01 MB
Asianux Server 9 for x86_64
- redis-6.2.20-1.el9_6.x86_64.rpm
MD5: 5efd4469f7f6362276803be230e217e5
SHA-256: 6fb4558fe33ecb6e9b42c197817cc0f064b3284ff0e4781162e79bcb097a8129
Size: 1.30 MB - redis-devel-6.2.20-1.el9_6.i686.rpm
MD5: 409b448b51c00e92b626f56bcbbc091f
SHA-256: c31db09a013a2902f9fbe6ca33712768cb9a83ca29f2f0b62db5c5e977e49b1b
Size: 18.94 kB - redis-devel-6.2.20-1.el9_6.x86_64.rpm
MD5: 073161bc95392d7719fcf634f2919e4f
SHA-256: cc8d273657812aa528b66d6ea87a3ca824134358fef42c7bf8af0cc6e116de4b
Size: 18.91 kB - redis-doc-6.2.20-1.el9_6.noarch.rpm
MD5: 09335282fac39c3e61a1e3418f75b5a7
SHA-256: 945bfa06ca45acaba477560923c8b6f163f564345c1b678cc7ecfc21ea6c3548
Size: 549.27 kB