Explore top 10 tips to secure your open-source projects now. Read More
×
It was discovered that there were two issues in Redis, the in-memory key/value database: CVE-2026-23631 An authenticated attacker could have exploited the master-replica synchronization mechanism to trigger a use-after-free on replicas. Debian LTS Advisory DLA-4682-1
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-23229 http://linux.oracle.com/errata/ELSA-2026-23229.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: redis-6.2.22-1.el9_8.x86_64.rpm redis-devel-6.2.22-1.el9_8.i686.rpm redis-devel-6.2.22-1.el9_8.x86_64.rpm redis-doc-6.2.22-1.el9_8.noarch.rpm aarch64: redis-6.2.22-1.el9_8.aarch64.rpm redis-devel-6.2.22-1.el9_8.aarch64.rpm redis-doc-6.2.22-1.el9_8.noarch.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/redis-6.2.22-1.el9_8.src.rpm Related CVEs: CVE-2026-25243 Description of changes: [6.2.22-1] - rebase to 6.2.22 for CVE-2026-25243 _______________________________________________ El-errata mailing list
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-25219 http://linux.oracle.com/errata/ELSA-2026-25219.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: redis-7.2.14-1.0.1.module+el9.8.0+90920+b17784e3.x86_64.rpm redis-devel-7.2.14-1.0.1.module+el9.8.0+90920+b17784e3.x86_64.rpm redis-doc-7.2.14-1.0.1.module+el9.8.0+90920+b17784e3.noarch.rpm aarch64: redis-7.2.14-1.0.1.module+el9.8.0+90920+b17784e3.aarch64.rpm redis-devel-7.2.14-1.0.1.module+el9.8.0+90920+b17784e3.aarch64.rpm redis-doc-7.2.14-1.0.1.module+el9.8.0+90920+b17784e3.noarch.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/redis-7.2.14-1.0.1.module+el9.8.0+90920+b17784e3.src.rpm Related CVEs: CVE-2026-23479 CVE-2026-23631 CVE-2026-25243 Description of changes: [7.2.14-1.0.1] - Build with 64k pages to support redis on UEK on aarch64 [7.2.14-1] - rebase to 7.2.14 for CVE-2026-23479 CVE-2026-25243 CVE-2026-23631 _______________________________________________ El-errata mailing list
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-26008 http://linux.oracle.com/errata/ELSA-2026-26008.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: redis-6.2.22-1.0.1.module+el8.10.0+90916+da0c6127.x86_64.rpm redis-devel-6.2.22-1.0.1.module+el8.10.0+90916+da0c6127.x86_64.rpm redis-doc-6.2.22-1.0.1.module+el8.10.0+90916+da0c6127.noarch.rpm aarch64: redis-6.2.22-1.0.1.module+el8.10.0+90916+da0c6127.aarch64.rpm redis-devel-6.2.22-1.0.1.module+el8.10.0+90916+da0c6127.aarch64.rpm redis-doc-6.2.22-1.0.1.module+el8.10.0+90916+da0c6127.noarch.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/redis-6.2.22-1.0.1.module+el8.10.0+90916+da0c6127.src.rpm Related CVEs: CVE-2026-25243 Description of changes: [6.2.22-1.0.1] - Build with 64k pages to support redis on both UEK6 and UEK7 on aarch64 [6.2.22-1] - rebase to 6.2.22 for CVE-2026-25243 _______________________________________________ El-errata mailing list
Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-3b3139882c 2026-05-18 00:40:49.529034+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 44 Version : 4.11.0 Release : 1.fc44 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented withthe following tools (either one or a combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup Pin session origin only after MESSAGE-INTEGRITY validates Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux Drop udp_relay_servers_number config and clean up dead UDP id-space Add Unity-based unit test scaffolding Delete log line per relay thread on start Out of bound HTTP detection in parser Extend STUN client fuzz builder coverage Extend fuzzing coverage and enable local fuzzing in a container Cover all public stun_buffer.c wrappers in FuzzStunClient HTTP parsing fixes Unblock fuzz coverage for is_http and rare STUN attributes Seed address-mapping table in fuzz initializer Add deterministic challenge-response builder to FuzzStun Add fuzz coverage for integrity helpers Hoist turn_server_get_engine() out of per-packet hot path Inline addr_cpy() in the header Trim two redundant checks from per-packet relay hot path Inline get_ioa_addr_len() in the header Cache hot lookups in TURN data-path handlers Load generator mode in turnutils_uclient Filc harness and pointer typedefs -------------------------------------------------------------------------------- ChangeLog: * Sat May 9 2026 Robert Scheck - 4.11.0-1 - Upgrade to 4.11.0 (#2466643) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2466643 - coturn-4.11.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2466643 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program.Use su -c 'dnf upgrade --advisory FEDORA-2026-3b3139882c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Brief introduction CVE-2025-67733 A flaw in the Lua scripting error path allowed an authenticated user to embed CR/LF byte sequences in an error reply produced via redis.error_reply() or the Lua error() function. Because RESP uses. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6279-1
MGASA-2026-0134 - Updated redis packages fix security vulnerabilities. MGASA-2026-0134 - Updated redis packages fix security vulnerabilities Publication date: 14 May 2026 URL: https://advisories.mageia.org/MGASA-2026-0134.html Type: security Affected Mageia releases: 9 CVE: CVE-2026-23479, CVE-2026-23631, CVE-2026-25243, CVE-2026-25588, CVE-2026-25589 Description: (CVE-2026-23479) Use-After-Free in unblock client flow may lead to Remote Code Execution. (CVE-2026-25243) Invalid memory access in RESTORE may lead to Remote Code Execution (CVE-2026-23631) Lua Use-After-Free may lead to remote code execution A user can manipulate data read by a connection by injecting \r\n sequences into a Redis error reply References: - https://bugs.mageia.org/show_bug.cgi?id=35514 - https://lists.opensuse.org/archives/list/
An update that solves 5 vulnerabilities can now be installed.. # redis-8.6.3-1.1 on GA media Announcement ID: openSUSE-SU-2026:10711-1 Rating: moderate Cross-References: * CVE-2026-23479 * CVE-2026-23631 * CVE-2026-25243 * CVE-2026-25588 * CVE-2026-25589 CVSS scores: * CVE-2026-23479 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-23479 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-23631 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-23631 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-25243 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-25243 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-25588 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-25588 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-25589 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-25589 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves 5 vulnerabilities can now be installed. ## Description: These are all security issues fixed in the redis-8.6.3-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * redis 8.6.3-1.1 ## References: * https://www.suse.com/security/cve/CVE-2026-23479.html * https://www.suse.com/security/cve/CVE-2026-23631.html * https://www.suse.com/security/cve/CVE-2026-25243.html * https://www.suse.com/security/cve/CVE-2026-25588.html * https://www.suse.com/security/cve/CVE-2026-25589.html . An update for openSUSE addresses five important vulnerabilities in redis-8.6.3-1.1, enhancing system security.. redis security fixes, openSUSE redisvulnerabilities, security patches for redis. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.