Skip to content

6.0.13
Compare
Choose a tag to compare
@oranagra oranagra released this 03 May 19:59
· 66 commits to 6.0 since this release
6.0.13
68e93c2

Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. LOW otherwise.

Integer overflow in STRALGO LCS command (CVE-2021-29477):
An integer overflow bug in Redis version 6.0 or newer could be exploited using
the STRALGO LCS command to corrupt the heap and potentially result in remote
code execution. The integer overflow bug exists in all versions of Redis
starting with 6.0.

Integer overflow in COPY command for large intsets (CVE-2021-29478):
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
potentially result in remote code execution. The vulnerability involves
changing the default set-max-intset-entries configuration value, creating a
large set key that consists of integer values and using the COPY command to
duplicate it. The integer overflow bug exists in all versions of Redis starting
with 2.6, where it could result with a corrupted RDB or DUMP payload, but not
exploited through COPY (which did not exist before 6.2).

Bug fixes:

  • Cluster: Skip unnecessary check which may prevent failure detection (#8585)
  • Fix not starting on alpine/libmusl without IPv6 (#8655)

Improvements:

  • Fix performance regression in BRPOP on Redis 6.0 (#8689)

Modules:

  • Fix edge-case when a module client is unblocked (#8618)
Assets 2