Valkey
What's the CVE story for valkey ? #1236
Unanswered
eric-desrochers
asked this question in
Q&A
Replies: 1 comment 1 reply
-
|
Redis is much more likely to get a CVE report to them because we are still pretty new. I missed sending security advisories for CVEs that impact us on github, but I'll start doing that as well. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
I am afraid CVEs affecting valkey won't be reported by scanning tools/CVE detection tooling/... because CVE databases such as NIST, GHSA, CVE.ORG, ... still report them for Redis only, so Valkey users may not know if they are vulnerable or not. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Look like most CVE are still reported to Redis and then backported to Valkey:
#1115
https://linuxsecurity.com/advisories/fedora/fedora-41-valkey-2024-e717420659-security-advisory-updates-e8mrbspx1jim
Seems like Valkey has no security advisory:
https://github.com/valkey-io/valkey/security/advisories
What's the CVE vulnerability story for Valkey to ensure it is secured/detected against newly detected CVE ?
Example:
GHSA-whxg-wx83-85p5
https://www.cve.org/CVERecord?id=CVE-2024-31449
It was backported in Valkey, but no indication/advertisement that Valkey is vulnerable, just redis is mentionnned.
Beta Was this translation helpful? Give feedback.
All reactions