valkey - Debian Package Tracker

general

source: valkey (main)
version: 8.1.4+dfsg1-1
maintainer: Lucas Kanashiro (DMD)
arch: any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

old-bpo: 8.0.1+dfsg1-1~bpo12+1
stable: 8.1.1+dfsg1-3+deb13u1
stable-sec: 8.1.1+dfsg1-3+deb13u1
testing: 8.1.4+dfsg1-1
unstable: 8.1.4+dfsg1-1

versioned links

8.0.1+dfsg1-1~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.1.1+dfsg1-3+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.1.4+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

valkey-sentinel
valkey-server (2 bugs: 0, 2, 0, 0)
valkey-tools

action needed

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2025-67733: Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
CVE-2026-21863: Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

Created: 2026-02-24 Last update: 2026-02-24 21:33

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2025-67733: Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
CVE-2026-21863: Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

Created: 2026-02-24 Last update: 2026-02-24 21:33

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2025-67733: Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
CVE-2026-21863: Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

Created: 2026-02-24 Last update: 2026-02-24 21:33

A new upstream version is available: 9.0.2 high

A new upstream version 9.0.2 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2026-02-24 19:30

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-09-21 Last update: 2025-09-21 05:32

debian/patches: 5 patches to forward upstream low

Among the 5 debian patches available in version 8.1.4+dfsg1-1 of the package, we noticed the following issues:

5 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2024-10-13 Last update: 2025-10-24 10:46

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.7.2).

Created: 2025-12-23 Last update: 2025-12-23 20:00

news

[rss feed]

[2025-10-31] Accepted valkey 8.1.1+dfsg1-3+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2025-10-26] valkey 8.1.4+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2025-10-24] Accepted valkey 8.1.4+dfsg1-1 (source) into unstable (Lucas Kanashiro)
[2025-10-09] Accepted valkey 8.1.1+dfsg1-3+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2025-07-15] valkey 8.1.1+dfsg1-3 MIGRATED to testing (Debian testing watch)
[2025-07-09] Accepted valkey 8.1.1+dfsg1-3 (source) into unstable (Lucas Kanashiro)
[2025-06-15] valkey 8.1.1+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2025-06-12] Accepted valkey 8.1.1+dfsg1-2 (source) into unstable (Lucas Kanashiro)
[2025-06-12] valkey 8.1.1+dfsg1-1.1 MIGRATED to testing (Debian testing watch)
[2025-06-09] Accepted valkey 8.1.1+dfsg1-1.1 (source) into unstable (Salvatore Bonaccorso)
[2025-05-09] valkey 8.1.1+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2025-04-28] Accepted valkey 8.1.1+dfsg1-1 (source) into unstable (Lucas Kanashiro)
[2025-01-16] valkey 8.0.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2025-01-14] Accepted valkey 8.0.2+dfsg1-1 (source) into unstable (Lucas Kanashiro)
[2024-12-21] Accepted valkey 8.0.1+dfsg1-1~bpo12+1 (source amd64) into stable-backports (Debian FTP Masters) (signed by: Boyuan Yang)
[2024-10-21] valkey 8.0.1+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-10-18] Accepted valkey 8.0.1+dfsg1-1 (source) into unstable (Lucas Kanashiro)
[2024-10-15] valkey 7.2.5+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2024-10-13] Accepted valkey 7.2.5+dfsg1-2 (source amd64) into unstable (Debian FTP Masters) (signed by: Lucas Kanashiro)
[2024-10-13] Accepted valkey 7.2.5+dfsg1-1 (source amd64) into unstable (Debian FTP Masters) (signed by: Lucas Kanashiro)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.0.2-0ubuntu1
patches for 9.0.2-0ubuntu1