Public bug reported: [Impact]
Various bugs exist in the current Ubuntu version of Valkey in Noble, Plucky, and Questing/Resolute including CVEs: (CVE-2025-49844) A Lua script may lead to remote code execution (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE (CVE-2025-46818) A Lua script can be executed in the context of another user (CVE-2025-46819) LUA out-of-bound read (CVE-2025-27151) Check length of AOF file name in valkey-check-aof and reject paths longer than PATH_MAX (8.0.4) The other bugs listed upstream are: 8.1.3-8.1.4 - https://github.com/valkey-io/valkey/pull/2614 https://github.com/valkey-io/valkey/pull/2229 https://github.com/valkey-io/valkey/pull/2257 https://github.com/valkey-io/valkey/pull/2290 https://github.com/valkey-io/valkey/pull/2288 https://github.com/valkey-io/valkey/pull/2353 https://github.com/valkey-io/valkey/pull/2347 https://github.com/valkey-io/valkey/pull/2174 https://github.com/valkey-io/valkey/pull/2360 https://github.com/valkey-io/valkey/pull/2466 https://github.com/valkey-io/valkey/pull/2571 https://github.com/valkey-io/valkey/pull/2656 8.0.4-8.0.6 - https://github.com/valkey-io/valkey/pull/2616 https://github.com/valkey-io/valkey/pull/2658 https://github.com/valkey-io/valkey/pull/2101 https://github.com/valkey-io/valkey/pull/2109 https://github.com/valkey-io/valkey/pull/2137 https://github.com/valkey-io/valkey/pull/2132 https://github.com/valkey-io/valkey/pull/2117 https://github.com/valkey-io/valkey/pull/2140 https://github.com/valkey-io/valkey/pull/2144 https://github.com/valkey-io/valkey/pull/2178 https://github.com/valkey-io/valkey/pull/2186 https://github.com/valkey-io/valkey/pull/2229 https://github.com/valkey-io/valkey/pull/2360 https://github.com/valkey-io/valkey/pull/2174 https://github.com/valkey-io/valkey/pull/2466 along with behavior changes: https://github.com/valkey-io/valkey/pull/1067 https://github.com/valkey-io/valkey/pull/1274 and improvements: https://github.com/valkey-io/valkey/pull/1252 https://github.com/valkey-io/valkey/pull/1341 7.2.10-7.2.11 - https://github.com/valkey-io/valkey/pull/2229 https://github.com/valkey-io/valkey/pull/2360 These fixes should be added to the stable release to avoid known security vulnerabilities and issues. Ideally, these fixes should be added by updating to 7.2.11, the latest stable release of 7.x, 8.0.6 as the latest of 8.0.x, and 8.1.4 as the latest of 8.1.x. Upstream takes care to avoid backwards incompatible changes in this stable release set and matching their version would best match user expectations. [Test Plan] Initial testing should include making sure dep-8 tests all pass. This package includes a large suite of tests that check various runtime configurations and redis compatibility. [Where problems could occur] As this is a full version backport, backwards-incompatible changes may arise from the various changes included. I am mitigating this by checking each individual commit and am noting any minor updates in the changelog entry. [Other Info] Noble will differ from Plucky as they will remain on the 7.2.x version track while Plucky is on 8.x. Both differ from Questing and Resolute which are on 8.1.x (though Resolute will be upgraded to 9.0.x this cycle). Also this release should be sent to both -updates and -security afterward to provide all relevant users with the fixes Previous Backports: (LP: #2097546) (LP: #2091129) (LP: #2115258) ** Affects: valkey (Ubuntu) Importance: Undecided Assignee: Lena Voytek (lvoytek) Status: Triaged ** Affects: valkey (Ubuntu Noble) Importance: Undecided Assignee: Lena Voytek (lvoytek) Status: Triaged ** Affects: valkey (Ubuntu Plucky) Importance: Undecided Assignee: Lena Voytek (lvoytek) Status: Triaged ** Affects: valkey (Ubuntu Questing) Importance: Undecided Assignee: Lena Voytek (lvoytek) Status: Triaged ** Tags: server-todo ** Also affects: valkey (Ubuntu Questing) Importance: Undecided Status: New ** Also affects: valkey (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: valkey (Ubuntu Plucky) Importance: Undecided Status: New ** Changed in: valkey (Ubuntu Noble) Assignee: (unassigned) => Lena Voytek (lvoytek) ** Changed in: valkey (Ubuntu Plucky) Assignee: (unassigned) => Lena Voytek (lvoytek) ** Changed in: valkey (Ubuntu Questing) Assignee: (unassigned) => Lena Voytek (lvoytek) ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127122 Title: Update Valkey to 7.2.11 in noble, 8.0.6 in plucky, and 8.1.4 in questing + resolute To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/valkey/+bug/2127122/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
