redis:6 security update
エラータID: AXSA:2025-11019:01
リリース日:
2025/11/04 Tuesday - 19:43
題名:
redis:6 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Redis には、整数オーバーフローの問題があるため、リモートの攻撃
者により、メモリ破壊、および任意のコードの実行を可能とする脆弱性
が存在します。(CVE-2025-46817)
- Redis には、ローカルの攻撃者により、任意のコードの実行を可能と
する脆弱性が存在します。(CVE-2025-46818)
- Redis には、メモリ領域の範囲外読み取りの問題があるため、
ローカルの攻撃者により、情報の漏洩、およびサービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2025-46819)
- Redis には、メモリ領域の解放後利用の問題があるため、リモートの
攻撃者により、任意のコードの実行を可能とする脆弱性が存在します。
(CVE-2025-49844)
Modularity name: redis
Stream name: 6
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-46817
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
CVE-2025-46818
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
CVE-2025-46819
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
CVE-2025-49844
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
追加情報:
N/A
ダウンロード:
SRPMS
- redis-6.2.20-1.module+el8+1914+8d0e1664.src.rpm
MD5: 23f00dde2517a92d59a4d4012e6514f1
SHA-256: 89e77573ec291e51a5b6bbc849ea2159c94af905dbda4a66bfb69cac2dafca5a
Size: 2.98 MB
Asianux Server 8 for x86_64
- redis-6.2.20-1.module+el8+1914+8d0e1664.x86_64.rpm
MD5: 0f7ed28e80e22c88faa6a2eea964a9f4
SHA-256: 11db3d657380b19324180fb5a235e230601edbdb13ec3d6026d3ba3422805252
Size: 1.17 MB - redis-debugsource-6.2.20-1.module+el8+1914+8d0e1664.x86_64.rpm
MD5: b2e415fb7784ce6183434c51ed26e33b
SHA-256: 9986dc0b391feff692d9f5d1221d7b60e5951f605e554a1486f1ad3a4df1dd17
Size: 1.34 MB - redis-devel-6.2.20-1.module+el8+1914+8d0e1664.x86_64.rpm
MD5: 78c5a8cf8cb66661f2d9d150cf5e0551
SHA-256: 3db8426e6569f579a77ab5e2d15cdadbd831c211341a0a7743de2bd8f78b131f
Size: 30.41 kB - redis-doc-6.2.20-1.module+el8+1914+8d0e1664.noarch.rpm
MD5: 115dcf6936e7f9df3c83b4faaccc5b4d
SHA-256: 1814cb1a88ea6c0aee0fd12f2e41a5a01478ec196bd1edaf8a198f67730172d6
Size: 492.58 kB
English