valkey (8.1.1+dfsg1-3+deb13u1) trixie-security; urgency=medium

  * (CVE-2025-49844) A Lua script may lead to remote code execution
  * (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
  * (CVE-2025-46818) A Lua script can be executed in the context of another user
  * (CVE-2025-46819) LUA out-of-bound read

 -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 07 Oct 2025 21:33:04 +0200

valkey (8.1.1+dfsg1-3) unstable; urgency=medium

  * Fix CVE-2025-32023 (Closes: #1108978)
    An authenticated user may use a specially crafted string to trigger a
    stack/heap out of bounds write on hyperloglog operations, potentially
    leading to remote code execution. The bug likely affects all Valkey
    versions with hyperloglog operations implemented.
    An additional workaround to mitigate the problem without patching the
    valkey-server executable is to prevent users from executing hyperloglog
    operations. This can be done using ACL to restrict HLL commands.
    - d/p/CVE-2025-32023.patch
  * Fix CVE-2025-48367 (Closes: #1108982)
    An unauthenticated connection can cause repeated IP protocol errors,
    leading to client starvation and, ultimately, a denial of service.
    - d/p/CVE-2025-48367.patch
  * d/copyright: fix path of the lua files, thanks to lintian!

 -- Lucas Kanashiro <kanashiro@debian.org>  Wed, 09 Jul 2025 05:53:22 -0300

valkey (8.1.1+dfsg1-2) unstable; urgency=medium

  * Fix CVE-2025-49112 (Closes: #1107210)
    setDeferredReply in networking.c in Valkey through 8.1.1 has an integer
    underflow for prev->size - prev->used.
    - d/p/CVE-2025-49112.patch

 -- Lucas Kanashiro <kanashiro@debian.org>  Thu, 12 Jun 2025 14:42:42 -0300

valkey (8.1.1+dfsg1-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Check length of AOF file name in valkey-check-aof (CVE-2025-27151)
    (Closes: #1106824)

 -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 09 Jun 2025 10:47:39 +0200

valkey (8.1.1+dfsg1-1) unstable; urgency=medium

  * New upstream release.
    + Fix CVE-2025-21605 (Closes: #1104012)
  * Refresh patches
  * Declare compliance with Debian Policy 4.7.2

 -- Lucas Kanashiro <kanashiro@debian.org>  Mon, 28 Apr 2025 15:49:27 -0300

valkey (8.0.2+dfsg1-1) unstable; urgency=medium

  [ Christian Göttsche ]
  * 0003-Use-get_current_dir_name-over-PATHMAX.patch: free allocated memory
  * d/rules: enable LTO
  * valkey-tools.postinst: create directories with default SELinux context

  [ Lucas Kanashiro ]
  * New upstream version 8.0.2+dfsg1
    - Fixes CVE-2024-46981 and CVE-2024-51741 (Closes: #1092371)

 -- Lucas Kanashiro <kanashiro@debian.org>  Mon, 13 Jan 2025 23:55:00 -0300

valkey (8.0.1+dfsg1-1) unstable; urgency=medium

  [ Lena Voytek ]
  * New upstream release 8.0.1
  * Refresh patches against new version:
    - d/p/debian-packaging/0001-Set-Debian-configuration-defaults.patch
    - d/p/0002-Add-CPPFLAGS-to-upstream-makefiles.patch
    - d/p/0003-Use-get_current_dir_name-over-PATHMAX.patch
    - d/p/0004-Add-support-for-USE_SYSTEM_JEMALLOC-flag.patch
  * d/valkey-server.docs: Remove MANIFESTO
  * d/valkey-tools.examples: Remove redis-trib.rb

  [ Lucas Kanashiro ]
  * d/copyright: remove superfluous file pattern

 -- Lucas Kanashiro <kanashiro@debian.org>  Fri, 18 Oct 2024 19:23:21 -0300

valkey (7.2.5+dfsg1-2) unstable; urgency=medium

  * d/copyright: remove the excluded files paragraph.
  * d/copyright: add missing License field.
  * d/watch: add version mangle and repack suffix because of dfsg.

 -- Lucas Kanashiro <kanashiro@debian.org>  Fri, 09 Aug 2024 19:01:26 -0300

valkey (7.2.5+dfsg1-1) unstable; urgency=medium

  * Initial packaging (Closes: #1068342).

 -- Lucas Kanashiro <kanashiro@debian.org>  Wed, 26 Jun 2024 18:35:47 -0300
