[Buildroot] [PATCH for 2025.08.x] package/redis: security bump to v8.0.4
Titouan Christophe
titouan.christophe at mind.be
Tue Oct 14 11:12:27 UTC 2025
See the release notes:
https://github.com/redis/redis/blob/8.0.4/00-RELEASENOTES
This fixes the following vulnerabilities (in the Lua scripting engine):
- CVE-2025-46817:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to cause an integer overflow and
potentially lead to remote code execution The problem exists in all
versions of Redis with Lua scripting. This issue is fixed in version
8.2.2.
https://www.cve.org/CVERecord?id=CVE-2025-46817
- CVE-2025-46818:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to manipulate different LUA objects and
potentially run their own code in the context of another user. The
problem exists in all versions of Redis with LUA scripting. This issue
is fixed in version 8.2.2. A workaround to mitigate the problem
without patching the redis-server executable is to prevent users from
executing LUA scripts. This can be done using ACL to block a script by
restricting both the EVAL and FUNCTION command families.
https://www.cve.org/CVERecord?id=CVE-2025-46818
- CVE-2025-46819:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted LUA script to read out-of-bound data or crash the
server and subsequent denial of service. The problem exists in all
versions of Redis with Lua scripting. This issue is fixed in version
8.2.2. To workaround this issue without patching the redis-server
executable is to prevent users from executing Lua scripts. This can be
done using ACL to block a script by restricting both the EVAL and
FUNCTION command families.
https://www.cve.org/CVERecord?id=CVE-2025-46819
- CVE-2025-49844:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to manipulate the garbage collector,
trigger a use-after-free and potentially lead to remote code
execution. The problem exists in all versions of Redis with Lua
scripting. This issue is fixed in version 8.2.2. To workaround this
issue without patching the redis-server executable is to prevent users
from executing Lua scripts. This can be done using ACL to restrict
EVAL and EVALSHA commands.
https://www.cve.org/CVERecord?id=CVE-2025-49844
Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
---
package/redis/redis.hash | 2 +-
package/redis/redis.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/redis/redis.hash b/package/redis/redis.hash
index c66223f2da..e9a495d633 100644
--- a/package/redis/redis.hash
+++ b/package/redis/redis.hash
@@ -1,5 +1,5 @@
# From https://github.com/redis/redis-hashes/blob/master/README
-sha256 33f37290b00b14e9a884dd4dcba335febd63ea16c51609d34fa41e031ad587df redis-8.0.3.tar.gz
+sha256 7e185265d455ea8deb6bb7e071352ea691ca4d7b5105fc172fa524af59917b89 redis-8.0.4.tar.gz
# Locally calculated
sha256 4a0e416b9537688f30dfe69ddaceb2ca64d96b7df02a0a6760d376890ddc4e40 LICENSE.txt
diff --git a/package/redis/redis.mk b/package/redis/redis.mk
index 5ffb2a929f..b954190546 100644
--- a/package/redis/redis.mk
+++ b/package/redis/redis.mk
@@ -4,7 +4,7 @@
#
################################################################################
-REDIS_VERSION = 8.0.3
+REDIS_VERSION = 8.0.4
REDIS_SITE = http://download.redis.io/releases
REDIS_LICENSE = \
AGPL-3.0 or SSPL-1.0 or RSAL-2.0 (core); \
--
2.51.0
More information about the buildroot
mailing list