valkey-8.0.7-1.el9_7
エラータID: AXSA:2026-259:02
リリース日:
2026/03/05 Thursday - 18:42
題名:
valkey-8.0.7-1.el9_7
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Valkey のエラー処理コードには、NULL 文字を適切に処理しない問題
があるため、リモートの攻撃者により、特定のクライアント向けの応答
ストリームに細工された情報を挿入することを介して、同一接続上の他の
ユーザー向け応答データの破壊、およびサービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2025-67733)
- Valkey のクラスタバスパケット処理コードには、クラスタバス ping
拡張パケットがクラスタバスパケットのバッファ内に存在することの
チェック処理が欠落していることに起因したメモリ領域の範囲外読み取り
の問題があるため、Valkey クラスタバスポートにアクセスできる権限を
持つリモートの攻撃者により、無効なクラスタバスパケットを持つように
巧妙に細工されたパケットの送信を介して、サービス拒否攻撃 (システム
のクラッシュの発生) を可能とする脆弱性が存在します。
(CVE-2026-21863)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-67733
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
CVE-2026-21863
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
追加情報:
N/A
ダウンロード:
SRPMS
- valkey-8.0.7-1.el9_7.src.rpm
MD5: ae0b63aac27f3e0d48cd12252a7274df
SHA-256: 0a38157a3db2da79f388166a049f48c028aee9be45d5baf7de0cecf482212f66
Size: 3.50 MB
Asianux Server 9 for x86_64
- valkey-8.0.7-1.el9_7.x86_64.rpm
MD5: 1f32cd2633404177687ed46916cc6d38
SHA-256: bfd793fd00db6e6c2c972b743d71f4f99fa86e6341d4c33b135490b9d11451da
Size: 1.60 MB - valkey-devel-8.0.7-1.el9_7.x86_64.rpm
MD5: 5b07764fd00e144d559d520c7bb5867b
SHA-256: ecb2652187aa9acd381f8cd37f5a9ca0fb31509ae136e0ea62e3642f8337e553
Size: 26.20 kB
English