See https://jvn.jp/en/jp/JVN19358384/
This fixes the following vulnerability:
- CVE-2025-24912:
hostapd fails to process crafted RADIUS packets properly. When hostapd
authenticates wi-fi devices with RADIUS authentication, an attacker in
the position between the hostapd and the RADIUS server may inject
crafted RADIUS packets and force RADIUS authentications to fail.
https://www.cve.org/CVERecord?id=CVE-2025-24912
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8282aaf094)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
iozone releases 3.507 and 3.508 seems to be only build fixes releases
for latest GCC compiler version but since there is no public vcs
it's not easy to review the history between releases and backport
any patches.
Based on the changelog from [1]:
Revision 3.507
Fix GCC compile warnings.
Revision 3.508
Put an end to the (&*% stupid GCC breaking builds for no valid reason.
So bump to the latest 508 release.
Rebase 0001-Add-new-targets-for-iozone.patch
Rebase 0002-fix-build-without-aio.patch and convert to git format
The TestIozone build issue is not yet fixed by the version bump [2].
[1] https://www.iozone.org/src/current/Changes.txt
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/11176774405
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 70cefcac9e)
[thomas: this with the next patch actually fixes build issue with GCC14 and not only GCC15]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In commit [1] the package netsnmp was bumped on master to version 5.9.4.
This version included fixes for CVE that were already patched in
buildroot and thus was not picked on the LTS branch.
As a consequence, the commit [2] was made on master which removed the
stale 'IGNORE_CVES' for the patches no longer presents. This commit was
wrongly picked on the LTS branch.
This reverts commit [3] which was included in 2025.02.x to set the
'IGNORE_CVES' back to the state of version 5.9.3.
[1] 1799cfebfd package/netsnmp: bump to version 5.9.4
[2] 4a3eab8341 package/netsnmp: drop stale ignore CVE entries
[3] 3ef8c1d0db package/netsnmp: drop stale ignore CVE entries
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
In commit [1], the only 'engicam' board config present on the 2025.02.x
branch was removed.
On the master branch the 'px30core' board is present because it was
added in commit [2] not picked on LTS branch.
So the DEVELOPERS entry for Jagan Teki that match every 'engicam' board
was not removed.
This patch removes this entry to remove the post commit hook warning.
[1] 13eb6c293e configs/engicam_imx6*: remove defconfigs, broken
[2] 6e6bd098c3 configs/engicam_px30_core_defconfig: new defconfig
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The commit adds a backported upstream patch to fix the following build
failure:
ptp2/ptp-pack.c:3168:31: note: earlier argument should specify number of elements, later size of each element
ptp2/chdk.c: In function 'yuv_live_to_jpeg':
ptp2/chdk.c:1203:41: error: passing argument 3 of 'jpeg_mem_dest' from incompatible pointer type [-Wincompatible-pointer-types]
1203 | jpeg_mem_dest (&cinfo, &outbuf, &outlen);
| ^~~~~~~
| |
| uint64_t * {aka long long unsigned int *}
In file included from ptp2/chdk.c:31:
/home/autobuild/autobuild/instance-0/output-1/per-package/libgphoto2/host/armeb-buildroot-linux-gnueabi/sysroot/usr/include/jpeglib.h:989:43: note: expected 'long unsigned int *' but argument is of type 'uint64_t *' {aka 'long long unsigned int *'}
989 | unsigned long *outsize);
Fixes:
- https://autobuild.buildroot.org/results/db742e301a401c9f4bdf3c7e8cfde9f0ba1c4558
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ebd07998d0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This contains many bug and security fixes since v22.12.0.
See the release notes: https://poppler.freedesktop.org/releases.html
In addition:
- Drop patch that has been applied upstream
- Update a few cmake configuration options that changed upstream
There is currently a build failure when enabling gpgme, so disable it
unconditionally for now.
Finally, this fixes the following vulnerabilities:
- CVE-2024-6239:
A flaw was found in the Poppler's Pdfinfo utility. This issue occurs
when using -dests parameter with pdfinfo utility. By using certain
malformed input files, an attacker could cause the utility to crash,
leading to a denial of service.
https://www.cve.org/CVERecord?id=CVE-2024-6239
- CVE-2024-56378:
libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read
vulnerability within the JBIG2Bitmap::combine function in
JBIG2Stream.cc.
https://www.cve.org/CVERecord?id=CVE-2024-56378
- CVE-2025-32364:
A floating-point exception in the PSStack::roll function of Poppler
before 25.04.0 can cause an application to crash when handling
malformed inputs associated with INT_MIN.
https://www.cve.org/CVERecord?id=CVE-2025-32364
- CVE-2025-32365:
Poppler before 25.04.0 allows crafted input files to trigger out-of-
bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc
because of a misplaced isOk check.
https://www.cve.org/CVERecord?id=CVE-2025-32365
- CVE-2025-43903:
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the
adbe.pkcs7.sha1 signatures on documents, resulting in potential
signature forgeries.
https://www.cve.org/CVERecord?id=CVE-2025-43903
- CVE-2025-50420:
An issue in the pdfseparate utility of freedesktop poppler v25.04.0
allows attackers to cause an infinite recursion via supplying a
crafted PDF file. This can lead to a Denial of Service (DoS).
https://www.cve.org/CVERecord?id=CVE-2025-50420
- CVE-2025-52886:
Poppler is a PDF rendering library. Versions prior to 25.06.0 use
`std::atomic_int` for reference counting. Because `std::atomic_int` is
only 32 bits, it is possible to overflow the reference count and
trigger a use-after-free. Version 25.06.0 patches the issue.
https://www.cve.org/CVERecord?id=CVE-2025-52886
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: mark commit as "security" in commit log title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cdd1c5ca55)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Do not bump to a more recent version, as the build system has
fundamentally changed.
See the release notes:
- https://github.com/netdata/netdata/releases/tag/1.34.0
- https://github.com/netdata/netdata/releases/tag/v1.34.1
- https://github.com/netdata/netdata/releases/tag/v1.35.0
- https://github.com/netdata/netdata/releases/tag/v1.35.1
- https://github.com/netdata/netdata/releases/tag/v1.36.0
- https://github.com/netdata/netdata/releases/tag/v1.36.1
- https://github.com/netdata/netdata/releases/tag/v1.37.0
- https://github.com/netdata/netdata/releases/tag/v1.37.1
In addition, add upstream patch to fix cross-compilation.
This fixes the following vulnerabilities:
- CVE-2023-22496:
Netdata is an open source option for real-time infrastructure
monitoring and troubleshooting. An attacker with the ability to
establish a streaming connection can execute arbitrary commands on the
targeted Netdata agent. When an alert is triggered, the function
`health_alarm_execute` is called. This function performs different
checks and then enqueues a command by calling `spawn_enq_cmd`. This
command is populated with several arguments that are not sanitized.
One of them is the `registry_hostname` of the node for which the alert
is raised. By providing a specially crafted `registry_hostname` as
part of the health data that is streamed to a Netdata (parent) agent,
an attacker can execute arbitrary commands at the remote host as a
side-effect of the raised alert. Note that the commands are executed
as the user running the Netdata Agent. This user is usually named
`netdata`. The ability to run arbitrary commands may allow an attacker
to escalate privileges by escalating other vulnerabilities in the
system, as that user. The problem has been fixed in: Netdata agent
v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
workaround, streaming is not enabled by default. If you have
previously enabled this, it can be disabled. Limiting access to the
port on the recipient Agent to trusted child connections may mitigate
the impact of this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2023-22496
- CVE-2023-22497:
Netdata is an open source option for real-time infrastructure
monitoring and troubleshooting. Each Netdata Agent has an
automatically generated MACHINE GUID. It is generated when the agent
first starts and it is saved to disk, so that it will persist across
restarts and reboots. Anyone who has access to a Netdata Agent has
access to its MACHINE_GUID. Streaming is a feature that allows a
Netdata Agent to act as parent for other Netdata Agents (children),
offloading children from various functions (increased data retention,
ML, health monitoring, etc) that can now be handled by the parent
Agent. Configuration is done via `stream.conf`. On the parent side,
users configure in `stream.conf` an API key (any random UUID can do)
to provide common configuration for all children using this API key
and per MACHINE GUID configuration to customize the configuration for
each child. The way this was implemented, allowed an attacker to use a
valid MACHINE_GUID as an API key. This affects all users who expose
their Netdata Agents (children) to non-trusted users and they also
expose to the same users Netdata Agent parents that aggregate data
from all these children. The problem has been fixed in: Netdata agent
v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
workaround, do not enable streaming by default. If you have previously
enabled this, it can be disabled. Limiting access to the port on the
recipient Agent to trusted child connections may mitigate the impact
of this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2023-22497
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add comment before _AUTORECONF with patch name]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9cfcd906cf)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Backport upstream patch, that was released in GLib 2.84.4 [1],
such that we can apply it onto GLib 2.82 in Buildroot LTS
This fixes the following vulnerability:
- CVE-2025-7039:
A flaw was found in glib. An integer overflow during temporary file
creation leads to an out-of-bounds memory access, allowing an attacker
to potentially perform path traversal or access private temporary file
content by creating symbolic links. This vulnerability allows a local
attacker to manipulate file paths and access unauthorized data. The
core issue stems from insufficient validation of file path lengths
during temporary file operations.
https://www.cve.org/CVERecord?id=CVE-2025-7039
[1] https://gitlab.gnome.org/GNOME/glib/-/releases/2.84.4
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
(cherry picked from commit 3252f45279)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the release notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411&projectId=10510
Also update the download site to https
This fixes the following vulnerability:
- CVE-2024-23807:
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5
contains a use-after-free error triggered during the scanning of
external DTDs. Users are recommended to upgrade to version 3.2.5
which fixes the issue, or mitigate the issue by disabling DTD
processing. This can be accomplished via the DOM using a standard
parser feature, or via SAX using the XERCES_DISABLE_DTD environment
variable. This issue has been disclosed before as CVE-2018-1311, but
unfortunately that advisory incorrectly stated the issue would be
fixed in version 3.2.3 or 3.2.4.
https://www.cve.org/CVERecord?id=CVE-2024-23807
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 246f2eca20)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building in parallel with per-package directories
(BR2_PER_PACKAGE_DIRECTORIES=y), brmake output is often garbled:
2025-10-08T18:39:10 >>> host-dtc 1.7.2 Building
2025-10-08T18:39:11 checking for stdint.h... >>> host-dtc 1.7.2 Installing to host directory
2025-10-08T18:39:12 checking for limits.h... >>> host-gmp 6.3.0 Installing to host directory
Remove the spurious string between the timestamp and the ">>>" marker to
fix this.
We need some extra care to preserve the preceding "term bold" special
characters sequence.
We also prevent grep and sed to buffer their output too much. This leads to
more frequent output even when we might not be connected to a terminal; for
example: when brmake's output is piped to another program or when running
in CI.
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c9dca7f4c3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the many release notes: https://github.com/libvips/libvips/releases
Along that version bump:
- Change source code archive compression from .gz to .xz as this the
new upstream delivery format
- Switch from autotools to meson build system (see upstream commit
538aa2a841)
- Update the LICENSE file (see upstream commit
057703938e)
This fixes the following vulnerabilities:
- CVE-2025-29769:
libvips is a demand-driven, horizontally threaded image processing
library. The heifsave operation could incorrectly determine the
presence of an alpha channel in an input when it was not possible to
determine the colour interpretation, known internally within libvips
as "multiband". There aren't many ways to create a "multiband" input,
but it is possible with a well-crafted TIFF image. If a "multiband"
TIFF input image had 4 channels and HEIF-based output was requested,
this led to libvips creating a 3 channel HEIF image without an alpha
channel but then attempting to write 4 channels of data. This caused a
heap buffer overflow, which could crash the process. This
vulnerability is fixed in 8.16.1.
https://www.cve.org/CVERecord?id=CVE-2025-29769
- CVE-2025-59933:
libvips is a demand-driven, horizontally threaded image processing
library. For versions 8.17.1 and below, when libvips is compiled with
support for PDF input via poppler, the pdfload operation is affected
by a buffer read overflow when parsing the header of a crafted PDF
with a page that defines a width but not a height. Those using libvips
compiled without support for PDF input are unaffected as well as
thosewith support for PDF input via PDFium. This issue is fixed in
version 8.17.2. A workaround for those affected is to block the
VipsForeignLoadPdf operation via vips_operation_block_set, which is
available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED
environment variable at runtime, which will block all untrusted
loaders including PDF input via poppler.
https://www.cve.org/CVERecord?id=CVE-2025-59933
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: update _LICENSE_FILES to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 72c7d99e22)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The patch bumps the Linux kernel to version 6.1.155. The size of
xipImage has increased by only 1126 bytes (1673444 bytes compared to
1672318 in version 6.1.143).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 675bb8337d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The patch bumps the Linux kernel to version 6.1.143. The size of xipImage
has increased by only 514 bytes (1672318 bytes compared to 1671804 in
version 6.1.133).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0c9a4b7995)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When mjpg-streamer is built with gcc >= 14 using libjpeg (rather than
jpeg-turbo), and with SDL is enabled (to enable the output_viewer),
the compilation can fail with error:
output_viewer.c:125:32: error: assignment to ‘boolean (*)(struct jpeg_decompress_struct *)’ from incompatible pointer type ‘int (*)(struct jpeg_decompress_struct *)’ [-Wincompatible-pointer-types]
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LIBJPEG=y
BR2_PACKAGE_MJPG_STREAMER=y
BR2_PACKAGE_SDL=y
EOF
make olddefconfig
make mjpg-streamer
This commit adds a patch to fix this issue.
Fixes:
https://autobuild.buildroot.net/results/3a5/3a5674e4e7bb3f2894575191af24598e2a696912/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit af4eef1e0f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit 553c55e9bd added the
qt6multimedia package including an option to build examples which
contains a dependency to qt6svg without selecting the package in
Config.in.
Fixes:
https://autobuild.buildroot.org/results/c94670cf255a1a6975e99d7b22a159f7fdc6f850/
Makefile:578: *** qt6svg is in the dependency chain of qt6multimedia
that has added it to its _DEPENDENCIES variable without selecting it
or depending on it from Config.in. Stop.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f37c48faf6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add an upstream patch to fix a build issue related to uint64_t:
utils.c: In function ‘get_uint64’:
utils.c:118:18: error: passing argument 1 of ‘str_toul’ from incompatible pointer type [-Wincompatible-pointer-types]
118 | str_toul(&defval, p, NULL, 16);
| ^~~~~~~
| |
| uint64_t * {aka long long unsigned int *}
In file included from utils.c:48:
utils.h:412:29: note: expected ‘long unsigned int *’ but argument is of type ‘uint64_t *’ {aka ‘long long unsigned int *’}
Fixes:
https://autobuild.buildroot.org/results/51af1d7bf71061f22d49213951a5f6a9565710c3/
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c8923662cc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the changelog:
https://docs.python.org/release/3.12.12/whatsnew/changelog.html#python-3-12-12
And the announcement:
https://www.python.org/downloads/release/python-31212/
This provides the following security fixes:
- gh-139312: Upgraded bundled libexpat to 2.7.3 to fix CVE-2025-59375
- gh-139700: Check consistency of the zip64 end of central directory record.
Support records with “zip64 extensible data” if there are no bytes
prepended to the ZIP file.
- gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only
garbage-collected once they are no longer referenced by subparsers created
by ExternalEntityParserCreate(). Patch by Sebastian Pipping.
- gh-135661: Fix parsing start and end tags in html.parser.HTMLParser
according to the HTML5 standard.
- gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to
the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add
private method _set_support_cdata() which can be used to specify how to
parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as
a bogus comment in the HTML namespace.
- gh-102555: Fix comment parsing in html.parser.HTMLParser according to the
HTML5 standard. --!> now ends the comment. -- > no longer ends the comment.
Support abnormally ended empty comments <--> and <--->.
- gh-135462: Fix quadratic complexity in processing specially crafted input
in html.parser.HTMLParser. End-of-file errors are now handled according
to the HTML5 specs – comments and declarations are automatically closed,
tags are ignored.
- gh-118350: Fix support of escapable raw text mode (elements “textarea” and
“title”) in html.parser.HTMLParser.
- gh-86155: html.parser.HTMLParser.close() no longer loses data when the
<script> tag is not closed. Patch by Waylan Limberg.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
(cherry picked from commit d16c812b7e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the release notes:
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.11
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.12
This fixes the following vulnerabilities:
- CVE-2025-52891:
ModSecurity is an open source, cross platform web application firewall
(WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before
2.9.11, an empty XML tag can cause a segmentation fault. If
SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is
application/xml, and at least one XML tag is empty (eg <foo></foo>),
then a segmentation fault occurs. This issue has been patched in
version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to
Off.
https://www.cve.org/CVERecord?id=CVE-2025-52891
- CVE-2025-54571:
ModSecurity is an open source, cross platform web application firewall
(WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below,
an attacker can override the HTTP response’s Content-Type, which could
lead to several issues depending on the HTTP scenario. For example, we
have demonstrated the potential for XSS and arbitrary script source
code disclosure in the latest version of mod_security2. This issue is
fixed in version 2.9.12.
https://www.cve.org/CVERecord?id=CVE-2025-54571
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 684462bbe8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the release notes:
https://github.com/redis/redis/blob/7.2.11/00-RELEASENOTES
This fixes the following vulnerabilities (in the Lua scripting engine):
- CVE-2025-46817:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to cause an integer overflow and
potentially lead to remote code execution The problem exists in all
versions of Redis with Lua scripting. This issue is fixed in version
8.2.2.
https://www.cve.org/CVERecord?id=CVE-2025-46817
- CVE-2025-46818:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to manipulate different LUA objects and
potentially run their own code in the context of another user. The
problem exists in all versions of Redis with LUA scripting. This issue
is fixed in version 8.2.2. A workaround to mitigate the problem
without patching the redis-server executable is to prevent users from
executing LUA scripts. This can be done using ACL to block a script by
restricting both the EVAL and FUNCTION command families.
https://www.cve.org/CVERecord?id=CVE-2025-46818
- CVE-2025-46819:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted LUA script to read out-of-bound data or crash the
server and subsequent denial of service. The problem exists in all
versions of Redis with Lua scripting. This issue is fixed in version
8.2.2. To workaround this issue without patching the redis-server
executable is to prevent users from executing Lua scripts. This can be
done using ACL to block a script by restricting both the EVAL and
FUNCTION command families.
https://www.cve.org/CVERecord?id=CVE-2025-46819
- CVE-2025-49844:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to manipulate the garbage collector,
trigger a use-after-free and potentially lead to remote code
execution. The problem exists in all versions of Redis with Lua
scripting. This issue is fixed in version 8.2.2. To workaround this
issue without patching the redis-server executable is to prevent users
from executing Lua scripts. This can be done using ACL to restrict
EVAL and EVALSHA commands.
https://www.cve.org/CVERecord?id=CVE-2025-49844
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
