git: cbfeceada5ee - main - security/vuxml: Add entry for databases/redis

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Muhammad Moinur Rahman <bofh_at_FreeBSD.org>
Date: Mon, 03 Nov 2025 07:55:57 UTC
The branch main has been updated by bofh:

URL: https://cgit.FreeBSD.org/ports/commit/?id=cbfeceada5eee0744e74c99154705474d0e11526

commit cbfeceada5eee0744e74c99154705474d0e11526
Author:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
AuthorDate: 2025-11-03 07:52:58 +0000
Commit:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
CommitDate: 2025-11-03 07:55:37 +0000

    security/vuxml: Add entry for databases/redis
---
 security/vuxml/vuln/2025.xml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index 22355dc41be2..ff3756a27fc9 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,40 @@
+  <vuln vid="5523394e-b889-11f0-9446-f02f7497ecda">
+    <topic>redis -- Bug in XACKDEL may lead to stack overflow and potential RCE</topic>
+    <affects>
+      <package>
+    <name>redis</name>
+    <range><ge>8.2.0</ge><lt>8.2.3</lt></range>
+    </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Google Big Sleep reports:</p>
+    <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-jhjx-x4cf-4vm8">
+      <p>A user can run the XACKDEL command with multiple ID's and
+      trigger a stack buffer overflow, which may potentially lead to
+      remote code execution.
+      The problem exists in Redis 8.2 or newer.
+      The code doesn't handle the case where the number of ID's exceeds
+      the STREAMID_STATIC_VECTOR_LEN, and skips a reallocation, which
+      leads to a stack buffer overflow.
+      An additional workaround to mitigate the problem without patching
+      the redis-server executable is to prevent users from executing
+      XACKDEL operation. This can be done using ACL to restrict XACKDEL
+      command.
+      </p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-62507</cvename>
+      <url></url>
+    </references>
+    <dates>
+      <discovery>2025-11-03</discovery>
+      <entry>2025-11-03</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="1ba0b62b-b80a-11f0-8016-b42e991fc52e">
     <topic>Mozilla -- Denial-of-service due to out-of-memory</topic>
     <affects>