redis:7 security update
エラータID: AXSA:2025-11023:01
リリース日:
2025/11/05 Wednesday - 10:19
題名:
redis:7 security update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Redis には、整数オーバーフローの問題があるため、リモートの
攻撃者により、メモリ破壊、および任意のコードの実行を可能とする
脆弱性が存在します。(CVE-2025-46817)
- Redis には、ローカルの攻撃者により、任意のコードの実行を可能と
する脆弱性が存在します。(CVE-2025-46818)
- Redis には、メモリ領域の範囲外読み取りの問題があるため、
ローカルの攻撃者により、情報の漏洩、およびサービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2025-46819)
- Redis には、メモリ領域の解放後利用の問題があるため、リモートの
攻撃者により、任意のコードの実行を可能とする脆弱性が存在します。
(CVE-2025-49844)
Modularity name: redis
Stream name: 7
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-46817
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
CVE-2025-46818
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
CVE-2025-46819
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
CVE-2025-49844
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
追加情報:
N/A
ダウンロード:
SRPMS
- redis-7.2.11-1.module+el9+1105+217487bc.src.rpm
MD5: 133274551c7eae93fe1e3429357f9064
SHA-256: 749e7d05b83428e8c5100203592ec3a6e17a999e2cb7570534cca0dcafdf66e7
Size: 4.44 MB
Asianux Server 9 for x86_64
- redis-7.2.11-1.module+el9+1105+217487bc.x86_64.rpm
MD5: 3442cef3fc9e9fb8155ba165f3432d11
SHA-256: b05933ef9fe6a428c2ec5c02eef2ab6622200d155197bb7d7338466bc98f1bff
Size: 1.64 MB - redis-debugsource-7.2.11-1.module+el9+1105+217487bc.x86_64.rpm
MD5: 224028b56707362937fe310d64271436
SHA-256: 8c219db3e208dde22da19cae0698dc8e63a770ac1fc5dbfad2a16bc008efbe87
Size: 1.54 MB - redis-devel-7.2.11-1.module+el9+1105+217487bc.x86_64.rpm
MD5: be88c40f4f306603e7ccfab4d46e2862
SHA-256: eb78343789be10b8a73ce7b01afb8cdbad01a08c9da02b8338aa4bd0be716aad
Size: 23.94 kB - redis-doc-7.2.11-1.module+el9+1105+217487bc.noarch.rpm
MD5: f40ca6b752cb99379f9fe759c169bbc8
SHA-256: cb301f480791be73cc291b4381f0549a6e4d66c759ec579fc101b194142c55ee
Size: 640.29 kB
English