Description of the patch:
This update for valkey fixes the following issues
- CVE-2025-67733: data tampering and denial of service via improper null character handling in Lua scripts
(bsc#1258746).
- CVE-2026-21863: denial of service via invalid clusterbus packet (bsc#1258788).
- CVE-2026-23479: use-after-free in unblock client flow may lead to remote code execution (bsc#1264164).
- CVE-2026-23631: Lua use-after-free via the master-replica synchronization mechanism may lead to remote code execution
(bsc#1264165).
- CVE-2026-25243: invalid memory access in RESTORE command via a specially crafted serialized payload may lead to remote
code execution (bsc#1264166).
Changes for valkey:
-
Update to 8.0.9.
-
Update to 8.0.7:
- Fix ltrim should not call signalModifiedKey when no elements are removed (#2787)
- Fix chained replica crash when doing dual channel replication (#2983)
- Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
- Avoids crash during MODULE UNLOAD when ACL rules reference a module command and
subcommand (#3160)
- Fix server assert on ACL LOAD and resetchannels (#3182)
- Fix bug causing no response flush sometimes when IO threads are busy (#3205)