An update for redis is now available for openEuler-24.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2389 Final 1.0 1.0 2025-10-11 Initial 2025-10-11 2025-10-11 openEuler SA Tool V1.0 2025-10-11 redis security update An update for redis is now available for openEuler-24.03-LTS-SP2 Redis is an advanced key-value store. It is often referred to as a dattructure server since keys can contain strings, hashes ,lists, sets anorted sets. Security Fix(es): Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.(CVE-2025-46817) Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.(CVE-2025-46818) Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting.(CVE-2025-46819) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting.(CVE-2025-49844) An update for redis is now available for openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical redis https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2389 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-46817 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-46818 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-46819 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-49844 https://nvd.nist.gov/vuln/detail/CVE-2025-46817 https://nvd.nist.gov/vuln/detail/CVE-2025-46818 https://nvd.nist.gov/vuln/detail/CVE-2025-46819 https://nvd.nist.gov/vuln/detail/CVE-2025-49844 openEuler-24.03-LTS-SP2 redis-7.2.11-1.oe2403sp2.src.rpm redis-7.2.11-1.oe2403sp2.x86_64.rpm redis-debuginfo-7.2.11-1.oe2403sp2.x86_64.rpm redis-debugsource-7.2.11-1.oe2403sp2.x86_64.rpm redis-7.2.11-1.oe2403sp2.aarch64.rpm redis-debuginfo-7.2.11-1.oe2403sp2.aarch64.rpm redis-debugsource-7.2.11-1.oe2403sp2.aarch64.rpm Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. 2025-10-11 CVE-2025-46817 openEuler-24.03-LTS-SP2 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H redis security update 2025-10-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2389 Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families. 2025-10-11 CVE-2025-46818 openEuler-24.03-LTS-SP2 Medium 6.0 AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N redis security update 2025-10-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2389 Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. 2025-10-11 CVE-2025-46819 openEuler-24.03-LTS-SP2 Medium 6.3 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H redis security update 2025-10-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2389 An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. 2025-10-11 CVE-2025-49844 openEuler-24.03-LTS-SP2 Critical 9.9 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H redis security update 2025-10-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2389