7.0.12

Upgrade urgency SECURITY: See security fixes below.

Security Fixes:

• (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
  a heap overflow in the cjson and cmsgpack libraries, and result in heap
  corruption and potentially remote code execution. The problem exists in all
  versions of Redis with Lua scripting support, starting from 2.6, and affects
  only authenticated and authorized users.
• (CVE-2023-36824) Extracting key names from a command and a list of arguments
  may, in some cases, trigger a heap overflow and result in reading random heap
  memory, heap corruption and potentially remote code execution. Specifically:
  using COMMAND GETKEYS* and validation of key names in ACL rules.

Bug Fixes

• Re-enable downscale rehashing while there is a fork child (#12276)
• Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count> (#12276)
• Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)
• Fix WAIT to be effective after a blocked module command being unblocked (#12220)
• Avoid unnecessary full sync after master restart in a rare case (#12088)

7.2-rc3

Upgrade urgency LOW: This is the third Release Candidate for Redis 7.2.
Upgrade urgency SECURITY: If you're using a previous release candidate of 7.2.

Security Fixes:

• (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
  a heap overflow in the cjson and cmsgpack libraries, and result in heap
  corruption and potentially remote code execution. The problem exists in all
  versions of Redis with Lua scripting support, starting from 2.6, and affects
  only authenticated and authorized users.
• (CVE-2023-36824) Extracting key names from a command and a list of arguments
  may, in some cases, trigger a heap overflow and result in reading random heap
  memory, heap corruption and potentially remote code execution. Specifically:
  using COMMAND GETKEYS* and validation of key names in ACL rules.

New Features

New administrative and introspection commands and command arguments

• Make SENTINEL CONFIG [SET|GET] variadic. (#10362)

Potentially Breaking / Behavior Changes

• Cluster SHARD IDs are no longer visible in the cluster nodes output,
  introduced in 7.2-RC1. (#10536, #12166)
• When calling PUBLISH with a RESP3 client that's also subscribed to the same channel,
  the order is changed and the reply is sent before the published message (#12326)

New configuration options

• Add a new loglevel "nothing" to disable logging (#12133)
• Add cluster-announce-human-nodename - a unique identifier for a node that is
  be used in logs for debugging (#9564)

Other General Improvements

• Allow CLUSTER SLOTS / SHARDS commands during loading (#12269)
• Support TLS service when "tls-cluster" is not enabled and persist both plain
  and TLS port in nodes.conf (#12233)
• Update SPOP and RESTORE commands to replicate unlink commands to replicas
  when the server is configured to use async server deletes (#12320)
• Try lazyfree the temporary zset in ZUNION / ZINTER / ZDIFF (#12229)

Performance and resource utilization improvements

• Optimize PSUBSCRIBE and PUNSUBSCRIBE from O(N*M) to O(N) (#12298)
• Optimize SCAN, SSCAN, HSCAN, ZSCAN commands (#12209)
• Set Jemalloc --disable-cache-oblivious to reduce memory overhead (#12315)
• Optimize ZINTERCARD to avoid create a temporary zset (#12229)
• Optimize HRANDFIELD and ZRANDMEMBER listpack encoded (#12205)
• Numerous other optimizations (#12155, #12082, #11626, #11944, #12316, #12250,
  #12177, #12185)

Changes in CLI tools

• redis-cli: Handle RESP3 double responses that contain a NaN (#12254)
• redis-cli: Support URIs with IPv6 (#11834)

Module API changes

• Align semantics of the new (v7.2 RC2) RM_ReplyWithErrorFormat with RM_ReplyWithError.
  This is a breaking change that affects the generated error code. (#12321)
• Forbid RM_AddPostNotificationJob on loading and on read-only replicas (#12304)
• Add ability for module command filter to know which client is being handled (#12219)

Bug Fixes

• Fix broken protocol when PUBLISH is used inside MULTI when the RESP3
  publishing client is also subscribed for the channel (#12326)
• Fix WAIT to be effective after a blocked module command being unblocked (#12220)
• Re-enable downscale rehashing while there is a fork child (#12276)
• Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count> (#12276)
• Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)
• Cluster: fix a race condition where a slot migration may revert on a subsequent failover or node joining (#12344)

Fixes for issues in previous releases of Redis 7.2

• Fix XREADGROUP BLOCK with ">" from hanging (#12301)
• Fix assertion when a blocked command is rejected when re-processed. (#12247)
• Fix use after free on a blocking RM_Call. (#12342)

6.2.13

Upgrade urgency SECURITY: See security fixes below.

Security Fixes:

• (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
  a heap overflow in the cjson and cmsgpack libraries, and result in heap
  corruption and potentially remote code execution. The problem exists in all
  versions of Redis with Lua scripting support, starting from 2.6, and affects
  only authenticated and authorized users.

Bug Fixes

• Re-enable downscale rehashing while there is a fork child (#12276)

6.0.20

Upgrade urgency SECURITY: See security fixes below.

Security Fixes:

• (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
  a heap overflow in the cjson and cmsgpack libraries, and result in heap
  corruption and potentially remote code execution. The problem exists in all
  versions of Redis with Lua scripting support, starting from 2.6, and affects
  only authenticated and authorized users.

Bug Fixes

• Re-enable downscale rehashing while there is a fork child (#12276)

7.2-rc2

Upgrade urgency LOW: This is the second Release Candidate for Redis 7.2.

INFO fields and introspection changes

• Add a few low level event loop metrics to help diagnose latency (#11963)

Performance and resource utilization improvements

• Minor performance improvement to SADD and HSET (#12019)

Platform / toolchain support related changes

• Upgrade to Jemalloc 5.3.0, resolves a rare fork child hang (#12115)
• Fix a compiler fortification induced crash when used with link time optimizations (#11982)
• Fix local clients detection, 127...* instead of 127.0.0.1 (#11664)
• Report AOF failure status to systemd in shutdown (#12065)

Changes in CLI tools

• redis-cli: Reimplement and improve help hints based on actual command arg docs (#10515)
• redis-cli: Add option --count for tuning SCAN based features (#12042)
• redis-benchmark: Add --seed option to seed the random number generator (#11945)

Module API changes

• Add RM_RdbLoad and RM_RdbSave APIs (#11852)
• Add RM_ReplyWithErrorFormat that can support format string (#11923)
• Fix: Delete empty key when RM_ZsetAdd, RM_ZsetIncrby, RM_StreamAdd fail (#12129)

Bug Fixes

• LPOS with RANK set to LONG_MIN returning wrong result (#12167)
• Avoid unnecessary full sync after master restart in a rare case (#12088)
• Iterate clients fairly when processing background chores (#12025)
• Avoid incorrect shrinking of query buffer when reading large data from clients (#12000)
• Sentinel: Fix config rewrite error when old known-slave is used (#11775)
• ACL: Disconnect pub-sub subscribers when revoking allchannels permission (#11992)
• Add a missing fsync of AOF file in rare cases (#11973)

Fixes for issues in previous releases of Redis 7.2

• Fix tracking of command duration metrics for MULTI, EVAL, WAIT and modules (#11970)

7.0.11

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create
  an invalid hash field that will crash Redis on access

Bug Fixes

• Add a missing fsync of AOF file in rare cases (#11973)
• Disconnect pub-sub subscribers when revoking allchannels permission (#11992)

Platform / toolchain support related improvements

• Fix a compiler fortification induced crash when used with link time optimizations (#11982)

6.2.12

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create
  an invalid hash field that will crash Redis on access

Bug Fixes

• Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875)
• Disconnect pub-sub subscribers when revoking allchannels permission (#11992)
• Trim excessive memory usage in stream nodes when exceeding stream-node-max-bytes (#11885)

6.0.19

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create
  an invalid hash field that will crash Redis on access

Bug Fixes

• Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875)

7.2-rc1

Upgrade urgency LOW: This is the first Release Candidate for Redis 7.2.

Redis Release Candidate (RC) versions are early versions that are made available
for early adopters in the community to test them. We do not consider
them suitable for production environments.

Introduction to the Redis 7.2 release

Redis 7.2 includes optimizations, several new commands, some improvements,
bug fixes, and several new module APIs.

In particular, users should be aware of the following changes:

1. Redis 7.2 uses a new format (version 11) for RDB files, which is incompatible
   with older versions.
2. See section about breaking changes mentioned below.
3. If you use modules, see the module API breaking changes section below.

Here is a comprehensive list of changes in this release compared to 7.0.10.
Each one includes the PR number that added it so that you can get more details
at https://github.com/redis/redis/pull/

New Features

• Introduce WAITAOF command, to block the client until a specified number
  of Redises have synced all previous write commands to the AOF on disk,
  see https://redis.io/commands/waitaof/

New user commands or command arguments

• WAITAOF blocks until writes have been synced to disk (#11713)
• Add WITHSCORE option to ZRANK and ZREVRANK (#11235)

New administrative and introspection commands and command arguments

• CLIENT SETINFO lets client library report name and version Redis (#11758)
• CLIENT NO-TOUCH for clients to run commands without affecting LRU/LFU of keys (#11483)

Command replies that have been extended

• ACL LOG - Add entry id, timestamp created, and timestamp last updated time (#11477)
• COMMAND DOCS - Repurpose arg names as the unique ID (#11051)
• CLIENT LIST has T flag to indicate CLIENT NO-TOUCH (#11483)
• CLIENT LIST show lib-name, lib-ver (#11758)

Potentially Breaking / Behavior Changes

• Client side tracking for scripts now tracks the keys that are read by the
  script instead of the keys that are declared by the caller of EVAL / FCALL (#11770)
• Freeze time sampling during command execution and in scripts (#10300)
• When a blocked command is being unblocked, checks like ACL, OOM, etc are
  re-evaluated (#11012)
• Unify ACL failure error message text and error codes (#11160)
• Blocked stream command that's released when key no longer exists carries a
  different error code (#11012)
• Command stats are updated for blocked commands only when / if the command
  actually executes (#11012)
• The way ACL users are stored internally no longer removes redundant command
  and category rules, which may alter the way those rules are displayed as part
  of ACL SAVE, ACL GETUSER and ACL LIST (#11224)
• Client connections created for TLS-based replication use SNI if possible (#11458)
• Stream consumers: Re-purpose seen-time, add active-time (#11099)
• XREADGROUP and X[AUTO]CLAIM create the consumer regardless of whether it was
  able to perform some reading/claiming (#11099)
• ACL default newly created user set sanitize-payload flag in ACL LIST/GETUSER #11279
• Fix HELLO command not to affect the client state unless successful (#11659)
• Normalize NAN in replies to a single nan type, like we do with inf (#11597)

Deprecations

• Mark the QUIT command as deprecated (#11439)
• Delete RDB loading code for pre-release RDB formats (#11058)

Performance and resource utilization improvements

• Significant memory optimization of small list type keys (#11303)
• Significant memory optimization for small set type keys (#11290)
• Significant memory optimization for large sets (#11595)
• Significant speed optimization in ZRANGE replies WITHSCORES in case of integer scores (#11779)
• Significant speed optimization in double replies, mainly sorted sets commands (#10587)
• Optimize the performance of commands with multiple keys in cluster mode (#11044)
• Incrementally reclaim OS page cache of RDB file (#11248)
• Improve memory management of cluster bus links when there is a large number of pending messages (#11343)
• Minor performance improvement for workloads that use commands without pipelining (#11220)

Changes in CLI tools

• redis-cli accepts commands in subscribed mode (#11873)

Other General Improvements

• WAIT now no longer waits for the replication offset after your last command,
  but rather the replication offset after your last write (#11713)
• Automatically propagate node deletion to other nodes in a cluster when
  CLUSTER FORGET is called, allowing nodes to be deleted with a single call
  in most cases (#10869)
• Blocking commands that were disallowed in scripts now behave in scripts the
  same they did in MULTI (#11568)

Platform / toolchain support related changes

• 32-bit builds compiled without HAVE_MALLOC_SIZE (not jemalloc or glibc)
  will consume more memory (#11595)
• Use jemalloc by default also on ARM (#11407)
• Adds stack trace and register dump support in crash report for illumos/solaris (#11335)

New configuration options

• locale-collate runtime config to control setlocale affecting Lua and SORT (#11059)
• Add CONFIG SET and GET loglevel feature in Sentinel (#11214)

INFO fields and introspection changes

• Added 4 new info fields for authentication errors and commands denied access
  for keys, channels and commands (#11288)
• INFO SERVER includes a list of listeners (#9320)

Module API changes

• Make it possible for module commands to be part of ACL categories (#11708)
• Add K flag to RM_Call to allow running blocking commands and set a callback to get the response (#11568)
• Add RM_AddPostNotificationJob to allow writes after keyspace notification hooks (#11199)
• RedisModule_Event_Key to notify about keys being unlinked together with reason and value (#9406)
• Add RM_BlockClient[Set|Get]PrivateData to associate a module data with the blocked client (#11568)
• APIs to allow modules to participate / handle AUTH validation (#11659)
• RM_GetContextFlags supports a new flag: REDISMODULE_CTX_FLAGS_SERVER_STARTUP (#9320)
• Add REDISMODULE_OPTIONS_ALLOW_NESTED_KEYSPACE_NOTIFICATIONS and RedisModule_GetModuleOptionsAll (#11199)
• RM_BlockClientOnKeysWithFlags allows module to request being unblocked when the key is deleted (#11310)
• Introduce aux_save2 makes it possible to skip saving that field in the RDB and
  enable loading the file in the absence of the module (#11374)
• Add a dry run flag to RM_Call to do validations before actual execution (#11158)
• Add RM_Microseconds and RM_CachedMicroseconds (#11016)
• Add RM_ACLAddLogEntryByUserName API to be used without a user object (#11659)
• Make it possible to keep the RM_Call reply for longer than the context lifetime in case
  auto memory was not used (#11568)

Potentially Breaking Changes in Module API

• RM_Call only enforces OOM on scripts if 'M' flag is set (#11425)
• Block some specific characters in module command names (#11434)
• Fix replication inconsistency on modules that uses keyspace notifications (#10969)
• Prevent command, configs, data types registration after the onload handler (#11708)

Bug Fixes

• Introduce socket shutdown to properly disconnect a client while a fork is active (#11376)
• CLIENT RESET clears the CLIENT NO-EVICT flag (#11483)
• Reduce memory usage on strings loaded by a module from an RDB file (#11050)
• Fix a bug where nodes in a cluster may not replicate or handle internal events for
  keys deleted when another node in the cluster claimed a slot (#11084)
• Fix HINCRBYFLOAT not to create a key if the new value is invalid (#11149)
• Make cluster config file saving atomic and fsync acl file saving (#10924)
• WAIT command would not block if used in RM_Call (#11713)
• Minor fixes to command metadata in COMMAND command (#11201, #10273)

7.0.10

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service

Bug Fixes

• Large blocks of replica client output buffer may lead to PSYNC loops and unnecessary memory usage (#11666)
• Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875)
• Trim excessive memory usage in stream nodes when exceeding stream-node-max-bytes (#11885)
• Fix module RM_Call commands failing with OOM when maxmemory is changed to zero (#11319)