Overview

File _patchinfo of Package patchinfo.42853

<patchinfo incident="42853">
  <!--generated  with prepare-update from request 402065-->
  <issue tracker="bnc" id="1258746">VUL-0: CVE-2025-67733: valkey: data tampering and denial of service via improper null character handling in Lua scripts</issue>
  <issue tracker="bnc" id="1258788">VUL-0: CVE-2026-21863: valkey: denial of service via invalid clusterbus packet</issue>
  <issue tracker="cve" id="2025-67733"/>
  <issue tracker="cve" id="2026-21863"/>
  <category>security</category>
  <rating>moderate</rating>
  <packager>ateixeira</packager>
  <summary>Security update for valkey</summary>
  <description>This update for valkey fixes the following issues:

Update to version 8.0.7.

Security issues fixed:

- CVE-2025-67733: data tampering and denial of service via improper null character handling in Lua scripts
  (bsc#1258746).
- CVE-2026-21863: denial of service via invalid clusterbus packet (bsc#1258788).

Other updates and bugfixes:  
  
  - ltrim should not call signalModifiedKey when no elements are removed (#2787)
  - chained replica crash when doing dual channel replication (#2983)
  - used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
  - avoids crash during MODULE UNLOAD when ACL rules reference a module command and
subcommand (#3160)
  - server assert on ACL LOAD and resetchannels (#3182)
  - bug causing no response flush sometimes when IO threads are busy (#3205)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places