security: Fix CVE-2026-21863 - clusterbus OOB read

[deepin-ci-robot]

安全修复：CVE-2026-21863

修复内容

• CVE-2026-21863 (HIGH, CVSS 7.5): 修复 clusterbus 端口的远程 DoS 漏洞
  • 添加 gossip count 验证，确保不超过包长度
  • 添加扩展数据边界检查，防止越界读取

补丁来源

• Origin: valkey-io/valkey@4169393
• Reference: GHSA-c677-q3wr-gggq

修改文件

• src/cluster_legacy.c: 添加安全验证
• debian/patches/CVE-2026-21863.patch: 补丁文件
• debian/changelog: 更新版本记录

其他 CVE 分析

根据 Debian Security Tracker 分析，当前版本 8.0.2-3 存在以下未修复 CVE：

• CVE-2025-67733 (HIGH, CVSS 8.5): Lua 脚本错误处理问题
• CVE-2025-49112 (LOW): setDeferredReply 整数溢出
• CVE-2025-46686 (LOW): multi-bulk 命令内存消耗

建议

建议考虑升级到 Redis 8.0.6 或更高版本以批量修复多个 CVE。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign goldendeng for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• https:/raw.githubusercontent.com/deepin-community/template-repository/master/debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

TAG Bot

TAG: 5%8.0.2-3deepin2
EXISTED: no
DISTRIBUTION: unstable