Hi all, quick question - currently running Redis 6.2.20 on Oracle linux 9 with Foreman 3.17 and katello 4.19
Qualys has detected this version of Redis as vulnerable (CVE2025-49844)
Version 7.2.11 is available via Appstream and this will fix the issue.
Can anyone confirm if there will be any problems with caching if updating to this?
Many thanks
any brainy devs able to help with this and confirm please?
@aruzicka may know. All I know is that in general we tell you that anything we ship with Foreman shouldn’t be upgraded individually and should be treated as an appliance.
Within Foreman, Redis is used for two purposes - as a queue for background processing and as cache.
As far as background processing is concerned, we only use relatively basic features (and a subcomponent of background processing is even tested with redis 7) so I wouldn’t expect any issues there.
I can’t really make any claims about the caching side of things and what @jeremylenz said about treating Foreman as an appliance is true.
tl;dr: It should work just fine, but ymmv.
Thank you for this. I suppose the main question from me is whether Foreman (or a dependency of it) used Redis from the OS (RPM) or whether it had it’s own Redis or similar cache system built in
EL9 seems unaffected according to → cve-details.
Also reading:
Red Hat Satellite does not ship the Redis server, and the Redis client libraries it includes (such as python-redis, python-aioredis and rubygem-redis) are not impacted by this vulnerability. While Satellite consume the Redis package from the underlying RHEL system, which is affected, the Redis service in Satellite is bound only to the local interface and is accessible solely by internal components like Pulp and Dynflow. Since vulnerability requires sending crafted Lua payloads to the Redis command interface, and no external or untrusted clients can connect, the effective exposure within Satellite is nullified.