-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 30 Mar 2026 18:47:11 -0300 Source: valkey Architecture: source Version: 8.1.4+dfsg1-2 Distribution: unstable Urgency: medium Maintainer: Lucas Kanashiro <kanashiro@debian.org> Changed-By: Lucas Kanashiro <kanashiro@debian.org> Closes: 1130911 Changes: valkey (8.1.4+dfsg1-2) unstable; urgency=medium . * Fix CVE-2025-67733 (Closes: #1130911). A malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. - d/p/CVE-2025-67733.patch * Fix CVE-2026-21863 (Closes: #1130911). A malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. - d/p/CVE-2026-21863.patch Checksums-Sha1: 0b3d284390c529cf50d288a453bf10350b3b5046 2243 valkey_8.1.4+dfsg1-2.dsc e884d66f0733df77f4fa241434fbf3e026f4ca3d 20440 valkey_8.1.4+dfsg1-2.debian.tar.xz Checksums-Sha256: 761e8ae1f56b033b0dbdd148ebd2585ccb2ba30738b45bbd161c196c1df48fa1 2243 valkey_8.1.4+dfsg1-2.dsc 89991fb4520b4555533f6f5b8f1e47a9673f2a2c8571b69b07bd1a2f56463ea0 20440 valkey_8.1.4+dfsg1-2.debian.tar.xz Files: 9783a7dce52098b9ee1bab5f5c34546b 2243 database optional valkey_8.1.4+dfsg1-2.dsc 004e9dfcf9e8df1e9fa4dd932417f95e 20440 database optional valkey_8.1.4+dfsg1-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQJJBAEBCgAzFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmnK8/MVHGthbmFzaGly b0BkZWJpYW4ub3JnAAoJEPgjonKYg8l8HdkQAKh5X1l5Gcr4/uTxxrbvNTCsnyY1 9idUIcNOCXHZzxKt0p2rxTQZTSRuHuTely7IqZDkfp+tTVTVjT5B+q4eQhd+GwTM vc/6c7LNL+ZxGCwKH1IFwjPVL1n6AdJVCdTsOm5ns2FtvryRDkiKWfjcPjI3V/tA f1oQnWK+OKjsps+Szri8zRnixvxgjnrDVWxkkJKVQ/4ouzuIC2CzaHqjMd8iE9Qj P5PVtgp9LusTy0WaJCIEh21HFBpKeBt3cXiu0VT0+nZWPZ4+NiJupWU/ncFHGCgO zdf3TBLvcKWC2HU5Melsy6WEU8h/ogh4HkvqgeUQTh/UaeK4sj/mILvgAkU73JgQ Lt5FFp5KEROQC6R+Io/xyixPaxmPqoq+lMYKz10mtdGAWwY0kBXcfGWz2NDnZMW7 EVHgE9zI/pcP7q1PQCyLwWiRN4xvzTGil4W99eT9+QAOdWyjP1CUKjWsCgX9wOHj 9I4d9i3McGNZTGTjzr44Oi39pQ+1K9EhKfyXDHFKLAsCx9BJHJS23HzfVYqn5hkv dwO0gJbTV/gKdg512gPH9qNODRJXYRM24C4EcUl/BxhA0dQTK1I+LMxcE7OcNYJq idKZ0qNM6KbtD82quXpJjxxS/bNL+IHjiWBwkjGpIqv3/L+htoONu70WG3qNExOo 0vNH60N/ycs1+JJx =zXX3 -----END PGP SIGNATURE-----
