[release] Redis 3.0.2 and Redis 2.8.21 are out
3,307 views
Skip to first unread message
Salvatore Sanfilippo
Jun 4, 2015, 6:06:41 AM6/4/15
to Redis DB
Hello,
A few minutes ago I released Redis 3.0.2 and 2.8.1. The main reason
for this release is to address a security bug found by Ben Murphy,
documented in his blog post here:
http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
It is critical but not dramatic: it needs the attacker to have direct
access to the instance, so Redis access mediated by applications is
not at risk. There are a lot of details about vulnerable deployments
in the original blog post.
However there are a few more interesting things in the releases:
Sentinel CKQUORUM and FLUSHCONFIG commands.
The first is already documented in the Sentinel documentation, and is
useful in order to check if a given Sentinel is currently able to
failover given the number of reachable Sentinels it is connected to. A
good check to have in your monitoring systems.
Sentinel FLUSHCONFIG was added by Bill Anderson in order to allow the
generation from scratch of the Sentinel config file in case it is
missing or broken for some reason. This command is also documented in
the new Sentinel doc.
There is also something that will be welcomed in Redis 3.0.2. With the
new policy we usually don't add new stuff but this time is was ways
too safe and useful to say no: ZADD now supports options:
NX: Add/Update elements if they don't already exist.
XX: Add/Update elements if they already exist.
CH: Change the return value in order to return *modified* elements,
not just added elements.
Everything is documented here: http://redis.io/commands/ZADD
Note that the new ZADD features are ONLY available in Redis 3.0.2.
Also remember that there is no reason to upgrade :-) It is backward compatible.
So... the 3.0.2 raw changelog is here:
--[ Redis 3.0.2 ] Release date: 4 Jun 2015
Upgrade urgency: HIGH for Redis because of a security issue.
LOW for Sentinel.
* [FIX] Critical security issue fix by Ben Murphy: http://t.co/LpGTyZmfS7
* [FIX] SMOVE reply fixed when src and dst keys are the same. (Glenn Nethercutt)
* [FIX] Lua cmsgpack lib updated to support str8 type. (Sebastian Waisbrot)
* [NEW] ZADD support for options: NX, XX, CH. See new doc at redis.io.
(Salvatore Sanfilippo)
* [NEW] Senitnel: CKQUORUM and FLUSHCONFIG commands back ported.
(Salvatore Sanfilippo and Bill Anderson)
Have fun,
Salvatore
--
Salvatore 'antirez' Sanfilippo
open source developer - Pivotal http://pivotal.io
"If a system is to have conceptual integrity, someone must control the
concepts."
— Fred Brooks, "The Mythical Man-Month", 1975.
A few minutes ago I released Redis 3.0.2 and 2.8.1. The main reason
for this release is to address a security bug found by Ben Murphy,
documented in his blog post here:
http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
It is critical but not dramatic: it needs the attacker to have direct
access to the instance, so Redis access mediated by applications is
not at risk. There are a lot of details about vulnerable deployments
in the original blog post.
However there are a few more interesting things in the releases:
Sentinel CKQUORUM and FLUSHCONFIG commands.
The first is already documented in the Sentinel documentation, and is
useful in order to check if a given Sentinel is currently able to
failover given the number of reachable Sentinels it is connected to. A
good check to have in your monitoring systems.
Sentinel FLUSHCONFIG was added by Bill Anderson in order to allow the
generation from scratch of the Sentinel config file in case it is
missing or broken for some reason. This command is also documented in
the new Sentinel doc.
There is also something that will be welcomed in Redis 3.0.2. With the
new policy we usually don't add new stuff but this time is was ways
too safe and useful to say no: ZADD now supports options:
NX: Add/Update elements if they don't already exist.
XX: Add/Update elements if they already exist.
CH: Change the return value in order to return *modified* elements,
not just added elements.
Everything is documented here: http://redis.io/commands/ZADD
Note that the new ZADD features are ONLY available in Redis 3.0.2.
Also remember that there is no reason to upgrade :-) It is backward compatible.
So... the 3.0.2 raw changelog is here:
--[ Redis 3.0.2 ] Release date: 4 Jun 2015
Upgrade urgency: HIGH for Redis because of a security issue.
LOW for Sentinel.
* [FIX] Critical security issue fix by Ben Murphy: http://t.co/LpGTyZmfS7
* [FIX] SMOVE reply fixed when src and dst keys are the same. (Glenn Nethercutt)
* [FIX] Lua cmsgpack lib updated to support str8 type. (Sebastian Waisbrot)
* [NEW] ZADD support for options: NX, XX, CH. See new doc at redis.io.
(Salvatore Sanfilippo)
* [NEW] Senitnel: CKQUORUM and FLUSHCONFIG commands back ported.
(Salvatore Sanfilippo and Bill Anderson)
Have fun,
Salvatore
--
Salvatore 'antirez' Sanfilippo
open source developer - Pivotal http://pivotal.io
"If a system is to have conceptual integrity, someone must control the
concepts."
— Fred Brooks, "The Mythical Man-Month", 1975.
Collin Sauve
Jun 15, 2015, 10:21:46 PM6/15/15
to redi...@googlegroups.com
A few minutes ago I released Redis 3.0.2 and 2.8.1.
Can you clarify that this is a typo and you mean “2.8.1”.
If so, it appears NIST (and others) have copied your typo:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4335
Redis before 2.8.1 and 3.x before 3.0.2
Collin Sauve
Jun 15, 2015, 11:27:09 PM6/15/15
to redi...@googlegroups.com
Correction: should be "2.8.21".
Salvatore Sanfilippo
Jun 16, 2015, 2:58:50 AM6/16/15
to Redis DB
Sorry typo indeed
> --
> You received this message because you are subscribed to the Google Groups
> "Redis DB" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to redis-db+u...@googlegroups.com.
> To post to this group, send email to redi...@googlegroups.com.
> Visit this group at http://groups.google.com/group/redis-db.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups
> "Redis DB" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to redis-db+u...@googlegroups.com.
> To post to this group, send email to redi...@googlegroups.com.
> Visit this group at http://groups.google.com/group/redis-db.
> For more options, visit https://groups.google.com/d/optout.
Tăng Phương Quý
Sep 16, 2016, 2:47:38 AM9/16/16
to Redis DB
Hi,
I try those thing but it didn't work:
Thanks
How to user this options with redis-cli
I try those thing but it didn't work:
127.0.0.1:6379> zadd "test" 3 "test" --nx
127.0.0.1:6379> zadd "test" 3 "test" $nx
Reply all
Reply to author
Forward
0 new messages