Valkey
What's the CVE story for valkey ? #1236
Unanswered
eric-desrochers
asked this question in
Q&A
Replies: 1 comment 1 reply
-
|
Redis is much more likely to get a CVE report to them because we are still pretty new. I missed sending security advisories for CVEs that impact us on github, but I'll start doing that as well. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
I am afraid CVEs affecting valkey won't be reported by scanning tools/CVE detection tooling/... because CVE databases such as NIST, GHSA, CVE.ORG, ... still report them for Redis only, so Valkey users may not know if they are vulnerable or not. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Look like most CVE are still reported to Redis and then backported to Valkey:
#1115
https://linuxsecurity.com/advisories/fedora/fedora-41-valkey-2024-e717420659-security-advisory-updates-e8mrbspx1jim
Seems like Valkey has no security advisory:
https://github.com/valkey-io/valkey/security/advisories
What's the CVE vulnerability story for Valkey to ensure it is secured/detected against newly detected CVE ?
Example:
GHSA-whxg-wx83-85p5
https://www.cve.org/CVERecord?id=CVE-2024-31449
It was backported in Valkey, but no indication/advertisement that Valkey is vulnerable, just redis is mentionnned.
Beta Was this translation helpful? Give feedback.
All reactions