[CLSA-2026:1779351595] Fix CVE(s): CVE-2026-23631

Type:

security

Severity:

Important

Release date:

2026-05-21 09:28:51 UTC

Description:

   * SECURITY UPDATE: Use-after-free in readSyncBulkPayload during fullsync
     - debian/patches/0015-CVE-2026-23631.patch: guard readSyncBulkPayload
       in src/replication.c with an early return when server.lua_timedout is
       set, so a fullsync cannot free the Lua scripting engine while a
       timed-out script is still running on the replica. Backport of upstream
       redis commit 80c2b5a0a (7.2 branch), adapted to 5.0 by using
       server.lua_timedout in place of isInsideYieldingLongCommand().
     - CVE-2026-23631

Updated packages:

redis_5.0.14-1+deb10u5+tuxcare.els3_all.deb
sha:60f1e2ec076db6c491542ecf697b559c05737d55
redis-sentinel_5.0.14-1+deb10u5+tuxcare.els3_amd64.deb
sha:0145fec1d539643aa3b31c977cec7944e7f9adef
redis-server_5.0.14-1+deb10u5+tuxcare.els3_amd64.deb
sha:46b44e77e9d3fd25ab682eb8f52b727b60ace312
redis-tools_5.0.14-1+deb10u5+tuxcare.els3_amd64.deb
sha:03e49c72ec6eb876f9751ec3ea2068835240b962

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.