Releases: redis/redis
6.2.6
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
- (CVE-2021-41099) Integer to heap buffer overflow handling certain string
commands and network payloads, when proto-max-bulk-len is manually configured
to a non-default, very large value [reported by yiyuaner]. - (CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and
redis-sentinel parsing large multi-bulk replies on some older and less common
platforms [reported by Microsoft Vulnerability Research]. - (CVE-2021-32687) Integer to heap buffer overflow with intsets, when
set-max-intset-entries is manually configured to a non-default, very large
value [reported by Pawel Wieczorkiewicz, AWS]. - (CVE-2021-32675) Denial Of Service when processing RESP request payloads with
a large number of elements on many connections. - (CVE-2021-32672) Random heap reading issue with Lua Debugger [reported by
Meir Shpilraien]. - (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded
data types, when configuring a large, non-default value for
hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries
or zset-max-ziplist-value [reported by sundb]. - (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when
configuring a non-default, large value for proto-max-bulk-len and
client-query-buffer-limit [reported by sundb]. - (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer
overflow [reported by Meir Shpilraien].
Bug fixes that involve behavior changes:
- GEO* STORE with empty source key deletes the destination key and return 0 (#9271)
Previously it would have returned an empty array like the non-STORE variant. - PUBSUB NUMPAT replies with number of patterns rather than number of subscriptions (#9209)
This actually changed in 6.2.0 but was overlooked and omitted from the release notes.
Bug fixes that are only applicable to previous releases of Redis 6.2:
- Fix CLIENT PAUSE, used an old timeout from previous PAUSE (#9477)
- Fix CLIENT PAUSE in a replica would mess the replication offset (#9448)
- Add some missing error statistics in INFO errorstats (#9328)
Other bug fixes:
- Fix incorrect reply of COMMAND command key positions for MIGRATE command (#9455)
- Fix appendfsync to always guarantee fsync before reply, on MacOS and FreeBSD (kqueue) (#9416)
- Fix the wrong mis-detection of sync_file_range system call, affecting performance (#9371)
CLI tools:
- When redis-cli received ASK response, it didn't handle it (#8930)
Improvements:
6.0.16
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
- (CVE-2021-41099) Integer to heap buffer overflow handling certain string
commands and network payloads, when proto-max-bulk-len is manually configured
to a non-default, very large value [reported by yiyuaner]. - (CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and
redis-sentinel parsing large multi-bulk replies on some older and less common
platforms [reported by Microsoft Vulnerability Research]. - (CVE-2021-32687) Integer to heap buffer overflow with intsets, when
set-max-intset-entries is manually configured to a non-default, very large
value [reported by Pawel Wieczorkiewicz, AWS]. - (CVE-2021-32675) Denial Of Service when processing RESP request payloads with
a large number of elements on many connections. - (CVE-2021-32672) Random heap reading issue with Lua Debugger [reported by
Meir Shpilraien]. - (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded
data types, when configuring a large, non-default value for
hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries
or zset-max-ziplist-value [reported by sundb]. - (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when
configuring a non-default, large value for proto-max-bulk-len and
client-query-buffer-limit [reported by sundb]. - (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer
overflow [reported by Meir Shpilraien].
Other bug fixes:
5.0.14
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
- (CVE-2021-41099) Integer to heap buffer overflow handling certain string
commands and network payloads, when proto-max-bulk-len is manually configured
to a non-default, very large value [reported by yiyuaner]. - (CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and
redis-sentinel parsing large multi-bulk replies on some older and less common
platforms [reported by Microsoft Vulnerability Research]. - (CVE-2021-32687) Integer to heap buffer overflow with intsets, when
set-max-intset-entries is manually configured to a non-default, very large
value [reported by Pawel Wieczorkiewicz, AWS]. - (CVE-2021-32675) Denial Of Service when processing RESP request payloads with
a large number of elements on many connections. - (CVE-2021-32672) Random heap reading issue with Lua Debugger [reported by
Meir Shpilraien]. - (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded
data types, when configuring a large, non-default value for
hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries
or zset-max-ziplist-value [reported by sundb]. - (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when
configuring a non-default, large value for proto-max-bulk-len and
client-query-buffer-limit [reported by sundb]. - (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer
overflow [reported by Meir Shpilraien].
6.2.5
Upgrade urgency: SECURITY, contains fixes to security issues that affect
authenticated client connections on 32-bit versions. MODERATE otherwise.
Fix integer overflow in BITFIELD on 32-bit versions (CVE-2021-32761).
An integer overflow bug in Redis version 2.2 or newer can be exploited using the
BITFIELD command to corrupt the heap and potentially result with remote code
execution.
Bug fixes that involve behavior changes:
- Change reply type for ZPOPMAX/MIN with count in RESP3 to nested array (#8981).
Was using a flat array like in RESP2 instead of a nested array like ZRANGE does. - Fix reply type for HRANDFIELD and ZRANDMEMBER when key is missing (#9178).
Was using a null array instead of an empty array. - Fix reply type for ZRANGESTORE when source key is missing (#9089).
Was using an empty array like ZRANGE instead of 0 (used in the STORE variant).
Bug fixes that are only applicable to previous releases of Redis 6.2:
- ZRANDMEMBER WITHSCORES with negative COUNT may return bad score (#9162)
- Fix crash after CLIENT UNPAUSE when threaded I/O config is enabled (#9041)
- Fix XTRIM or XADD with LIMIT may delete more entries than the limit (#9048)
- Fix build issue with OpenSSL 1.1.0 (#9233)
Other bug fixes:
- Fail EXEC command in case a watched key is expired (#9194)
- Fix SMOVE not to invalidate dest key (WATCH and tracking) when member already exists (#9244)
- Fix SINTERSTORE not to delete dest key when getting a wrong type error (#9032)
- Fix overflows on 32-bit versions in GETBIT, SETBIT, BITCOUNT, BITPOS, and BITFIELD (#9191)
- Improve MEMORY USAGE on stream keys (#9164)
- Set TCP keepalive on inbound cluster bus connections (#9230)
- Fix diskless replica loading to recover from RDB short read on module AUX data (#9199)
- Fix race in client side tracking (#9116)
- Fix ziplist length updates on big-endian platforms (#2080)
CLI tools:
- redis-cli cluster import command may issue wrong MIGRATE command, sending COPY instead of REPLACE (#8945)
- redis-cli --rdb fixes when using "-" to write to stdout (#9136, #9135)
- redis-cli support for RESP3 set type in CSV and RAW output (#7338)
Modules:
6.0.15
Upgrade urgency: SECURITY, contains fixes to security issues that affect
authenticated client connections on 32-bit versions. MODERATE otherwise.
Fix integer overflow in BITFIELD on 32-bit versions (CVE-2021-32761).
An integer overflow bug in Redis version 2.2 or newer can be exploited using the
BITFIELD command to corrupt the heap and potentially result with remote code
execution.
Bug fixes that involve behavior changes:
- Change reply type for ZPOPMAX/MIN with count in RESP3 to nested array (#8981).
Was using a flat array like in RESP2 instead of a nested array like ZRANGE does.
Bug fixes:
- Fail EXEC command in case a watched key is expired (#9194)
- Fix SMOVE not to invalidate dest key (WATCH and tracking) when member already exists (#9244)
- Fix SINTERSTORE not to delete dest key when getting a wrong type error (#9032)
- Fix overflows on 32-bit versions in GETBIT, SETBIT, BITCOUNT, BITPOS, and BITFIELD (#9191)
- Set TCP keepalive on inbound cluster bus connections (#9230)
- Fix ziplist length updates on big-endian platforms (#2080)
- Fix diskless replica loading to recover from RDB short read on module AUX data (#9199)
- Fix race in client side tracking (#9116)
- If diskless repl child is killed, make sure to reap the child pid (#7742)
- Add a timeout mechanism for replicas stuck in fullsync (#8762)
CLI tools:
5.0.13
Upgrade urgency: SECURITY, contains fixes to security issues that affect
authenticated client connections on 32-bit versions. MODERATE otherwise.
Fix integer overflow in BITFIELD on 32-bit versions (CVE-2021-32761).
An integer overflow bug in Redis version 2.2 or newer can be exploited using the
BITFIELD command to corrupt the heap and potentially result with remote code
execution.
Bug fixes:
6.2.4
Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. MODERATE otherwise.
Fix integer overflow in STRALGO LCS (CVE-2021-32625)
An integer overflow bug in Redis version 6.0 or newer can be exploited using the
STRALGO LCS command to corrupt the heap and potentially result with remote code
execution. This is a result of an incomplete fix by CVE-2021-29477.
Bug fixes that are only applicable to previous releases of Redis 6.2:
- Fix crash after a diskless replication fork child is terminated (#8991)
- Fix redis-benchmark crash on unsupported configs (#8916)
Other bug fixes:
- Fix crash in UNLINK on a stream key with deleted consumer groups (#8932)
- SINTERSTORE: Add missing keyspace del event when none of the sources exist (#8949)
- Sentinel: Fix CONFIG SET of empty string sentinel-user/sentinel-pass configs (#8958)
- Enforce client output buffer soft limit when no traffic (#8833)
Improvements:
- Hide AUTH passwords in MIGRATE command from slowlog (#8859)
6.0.14
Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. MODERATE otherwise.
Fix integer overflow in STRALGO LCS (CVE-2021-32625)
An integer overflow bug in Redis version 6.0 or newer can be exploited using the
STRALGO LCS command to corrupt the heap and potentially result with remote code
execution. This is a result of an incomplete fix by CVE-2021-29477.
Other bug fixes:
6.2.3
Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. LOW otherwise.
Integer overflow in STRALGO LCS command (CVE-2021-29477):
An integer overflow bug in Redis version 6.0 or newer could be exploited using
the STRALGO LCS command to corrupt the heap and potentially result in remote
code execution. The integer overflow bug exists in all versions of Redis
starting with 6.0.
Integer overflow in COPY command for large intsets (CVE-2021-29478):
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
potentially result in remote code execution. The vulnerability involves
changing the default set-max-intset-entries configuration value, creating a
large set key that consists of integer values and using the COPY command to
duplicate it. The integer overflow bug exists in all versions of Redis starting
with 2.6, where it could result with a corrupted RDB or DUMP payload, but not
exploited through COPY (which did not exist before 6.2).
Bug fixes that are only applicable to previous releases of Redis 6.2:
- Fix memory leak in moduleDefragGlobals (#8853)
- Fix memory leak when doing lazy freeing client tracking table (#8822)
- Block abusive replicas from sending commands that could assert and crash redis (#8868)
Other bug fixes:
- Use a monotonic clock to check for Lua script timeout (#8812)
- redis-cli: Do not use unix socket when we got redirected in cluster mode (#8870)
Modules:
- Fix RM_GetClusterNodeInfo() to correctly populate master id (#8846)
6.0.13
Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. LOW otherwise.
Integer overflow in STRALGO LCS command (CVE-2021-29477):
An integer overflow bug in Redis version 6.0 or newer could be exploited using
the STRALGO LCS command to corrupt the heap and potentially result in remote
code execution. The integer overflow bug exists in all versions of Redis
starting with 6.0.
Integer overflow in COPY command for large intsets (CVE-2021-29478):
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
potentially result in remote code execution. The vulnerability involves
changing the default set-max-intset-entries configuration value, creating a
large set key that consists of integer values and using the COPY command to
duplicate it. The integer overflow bug exists in all versions of Redis starting
with 2.6, where it could result with a corrupted RDB or DUMP payload, but not
exploited through COPY (which did not exist before 6.2).
Bug fixes:
- Cluster: Skip unnecessary check which may prevent failure detection (#8585)
- Fix not starting on alpine/libmusl without IPv6 (#8655)
Improvements:
- Fix performance regression in BRPOP on Redis 6.0 (#8689)
Modules:
- Fix edge-case when a module client is unblocked (#8618)