Package "valkey"

  valkey (8.1.6+dfsg1-0ubuntu0.1) questing; urgency=medium

  * New upstream version 8.1.6 (LP: #2142590)
    - Security fixes:
        + CVE-2025-67733: RESP Protocol Injection via Lua error_reply.
        + CVE-2026-21863: Remote DoS with malformed Valkey Cluster bus message.
    - Bug fixes:
        + Restrict ttl from being negative and avoid crash in import-mode.
        + Fix chained replica crash when doing dual channel replication.
        + Fix used_memory_dataset underflow due to miscalculated
          used_memory_overhead.
        + Fix crashing while MODULE UNLOAD when ACL rules reference a module
          command or subcommand.
        + Fix server assert on ACL LOAD and resetchannels.
        + Fix bug causing no response flush sometimes when IO threads are busy.
        + Fix Lua VM crash after FUNCTION FLUSH ASYNC + FUNCTION LOAD.
        + Fix invalid memory address caused by hashtable shrinking during safe
          iteration.
        + Cluster: Avoid usage of light weight messages to nodes with not ready
          bidirectional links.
        + Send duplicate multi meet packet only for node which supports it.
        + Fix loading AOF files from future Valkey versions.
  * d/rules: Skip maxmemory unit test during builds as it often times out.

 -- Lena Voytek <email address hidden> Tue, 24 Feb 2026 08:49:19 -0500

  valkey (8.1.4+dfsg1-0ubuntu0.1) questing; urgency=medium

  * New upstream version 8.1.4 (LP: #2127122)
    - Security fixes:
      + CVE-2025-49844: Lua script may lead to remote code execution.
      + CVE-2025-46817: Lua script may lead to int overflow and potential RCE.
      + CVE-2025-46818: Lua script can be executed in context of another user.
      + CVE-2025-46819: LUA out-of-bound read
      + CVE-2025-49112: Integer underflow in setDeferredReply networking.c.
    - Bug fixes:
      + Fix accounting for dual channel RDB bytes in replication stats.
      + Ensure empty error tables in scripts don't crash Valkey.
      + Fix use-after-free when active expiration triggers hashtable to shrink.
      + Fix memory usage to consider embedded keys.
      + Fix leak when shrinking a hashtable without entries.
      + Fix large allocations crashing Valkey during active defrag.
      + Prevent bad memory access when NOTOUCH client gets unblocked.
      + Converge shard-id persisted in nodes.conf to primary's shard id.
      + Fix client tracking memory overhead calculation.
      + Fix pre-size hashtables per slot when reading RDB files.
      + Don't use AVX2 instructions if the CPU don't support it.
      + Defrag if slab 1/8 full to fix defrag didn't stop issue.
  * Remove patches fixed upstream:
    - d/p/CVE-2025-49112.patch
    - d/p/fix-8.1.x-multi-unit-test.patch

 -- Lena Voytek <email address hidden> Sat, 11 Oct 2025 22:37:19 -0400