Advisories » MGASA-2025-0211

Updated redis packages fix security vulnerabilities

Publication date: 19 Jul 2025
Modification date: 19 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-27151 , CVE-2023-41056 , CVE-2025-32023 , CVE-2025-48367

Description

Updated redis packages to a more recent version to fix security
vulnerabilities:
Some vulnerabilities have been discovered and fixed.
Please note this update is from 7.0 to 7.2 which brings some potentially
breaking changes. In most cases this update could be installed without
problems.
Potentially Breaking / Behavior Changes:
* Client side tracking for scripts now tracks the keys that are read by
  the script instead of the keys that are declared by the caller of EVAL /
  FCALL (#11770)
* Freeze time sampling during command execution and in scripts (#10300)
* When a blocked command is being unblocked, checks like ACL, OOM, etc
  are re-evaluated (#11012)
* Unify ACL failure error message text and error codes (#11160)
* Blocked stream command that's released when key no longer exists
  carries a different error code (#11012)
* Command stats are updated for blocked commands only when / if the
  command actually executes (#11012)
* The way ACL users are stored internally no longer removes redundant
  command and category rules, which may alter the way those rules are
  displayed as part of `ACL SAVE`, `ACL GETUSER` and `ACL LIST` (#11224)
* Client connections created for TLS-based replication use SNI if
  possible (#11458)
* Stream consumers: Re-purpose seen-time, add active-time (#11099)
* XREADGROUP and X[AUTO]CLAIM create the consumer regardless of whether
  it was able to perform some reading/claiming (#11099)
* ACL default newly created user set sanitize-payload flag in ACL
  LIST/GETUSER #11279
* Fix HELLO command not to affect the client state unless successful
  (#11659)
* Normalize `NAN` in replies to a single nan type, like we do with `inf`
  (#11597)
* Cluster SHARD IDs are no longer visible in the cluster nodes output,
  introduced in 7.2-RC1. (#10536, #12166)
* When calling PUBLISH with a RESP3 client that's also subscribed to the
  same channel, the order is changed and the reply is sent before the
  published message (#12326)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=34452
• https://github.com/redis/redis/releases/tag/7.2.10
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27151
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41056
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32023
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48367

SRPMS

9/core

• redis-7.2.10-1.mga9