Hello,
A few minutes ago I released Redis 3.0.2 and 2.8.1. The main reason
for this release is to address a security bug found by Ben Murphy,
documented in his blog post here:
http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
It is critical but not dramatic: it needs the attacker to have direct
access to the instance, so Redis access mediated by applications is
not at risk. There are a lot of details about vulnerable deployments
in the original blog post.
However there are a few more interesting things in the releases:
Sentinel CKQUORUM and FLUSHCONFIG commands.
The first is already documented in the Sentinel documentation, and is
useful in order to check if a given Sentinel is currently able to
failover given the number of reachable Sentinels it is connected to. A
good check to have in your monitoring systems.
Sentinel FLUSHCONFIG was added by Bill Anderson in order to allow the
generation from scratch of the Sentinel config file in case it is
missing or broken for some reason. This command is also documented in
the new Sentinel doc.
There is also something that will be welcomed in Redis 3.0.2. With the
new policy we usually don't add new stuff but this time is was ways
too safe and useful to say no: ZADD now supports options:
NX: Add/Update elements if they don't already exist.
XX: Add/Update elements if they already exist.
CH: Change the return value in order to return *modified* elements,
not just added elements.
Everything is documented here:
http://redis.io/commands/ZADD
Note that the new ZADD features are ONLY available in Redis 3.0.2.
Also remember that there is no reason to upgrade :-) It is backward compatible.
So... the 3.0.2 raw changelog is here:
--[ Redis 3.0.2 ] Release date: 4 Jun 2015
Upgrade urgency: HIGH for Redis because of a security issue.
LOW for Sentinel.
* [FIX] Critical security issue fix by Ben Murphy:
http://t.co/LpGTyZmfS7
* [FIX] SMOVE reply fixed when src and dst keys are the same. (Glenn Nethercutt)
* [FIX] Lua cmsgpack lib updated to support str8 type. (Sebastian Waisbrot)
* [NEW] ZADD support for options: NX, XX, CH. See new doc at
redis.io.
(Salvatore Sanfilippo)
* [NEW] Senitnel: CKQUORUM and FLUSHCONFIG commands back ported.
(Salvatore Sanfilippo and Bill Anderson)
Have fun,
Salvatore
--
Salvatore 'antirez' Sanfilippo
open source developer - Pivotal
http://pivotal.io
"If a system is to have conceptual integrity, someone must control the
concepts."
— Fred Brooks, "The Mythical Man-Month", 1975.