Home / mailings [SECURITY] [DSA 6279-1] redis security update
Posted on 17 May 2026
Debian Security Advisory- -------------------------------------------------------------------------
Debian Security Advisory DSA-6279-1 security@debian.org
https://www.debian.org/security/ Aron Xu
May 17, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : redis
CVE ID : CVE-2025-67733 CVE-2026-21863
Debian Bug :
Brief introduction
CVE-2025-67733
A flaw in the Lua scripting error path allowed an authenticated user
to embed CR/LF byte sequences in an error reply produced via
redis.error_reply() or the Lua error() function. Because RESP uses
CRLF as a frame delimiter, an injected sequence could be interpreted
by the client as the start of an unrelated reply, allowing an
attacker to inject arbitrary content into the response stream and
tamper with data read by other commands on the same connection.
CVE-2026-21863
The cluster bus packet validation in clusterProcessPacket() did not
verify that the gossip-section count and per-extension header
declared by an incoming PING, PONG or MEET message actually fit
within the received packet. A peer with access to the cluster bus
port could send a specially crafted message whose declared lengths
exceed the packet size, causing the server to read out of bounds and
potentially crash, resulting in a denial of service.
For the oldstable distribution (bookworm), these problems have been fixed
in version 5:7.0.15-1~deb12u7.
For the stable distribution (trixie), these problems have been fixed in
version 8.0.2-3+deb13u2.
We recommend that you upgrade your redis packages.
For the detailed security status of redis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/redis
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
