[RELEASE] Redis 7.0.9, 6.2.11 and 6.0.18 are out

155 views
Skip to first unread message

Itamar Haber

unread,
Feb 28, 2023, 2:36:11 PM2/28/23
to Redis DB

Dear Redis community,


We've released Redis 7.0.9, 6.2.11, and 6.0.18 to fix bugs and security issues.


Following are the release notes.


Redis 7.0.9

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes

  • (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD
    commands can trigger an integer overflow, resulting in a runtime assertion
    and termination of the Redis server process.

  • (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially
    crafted pattern to trigger a denial-of-service attack on Redis, causing it to
    hang and consume 100% CPU time.

Bug Fixes

  • Fix a crash when reaching the maximum invalidations limit of client-side tracking (#11814)

  • Fix a crash when SPUBLISH is used after passing the cluster-link-sendbuf-limit (#11752)

  • Fix possible memory corruption in FLUSHALL when a client watches more than one key (#11854)

  • Fix cluster inbound link keepalive time (#11785)

  • Flush propagation list in active-expire of writable replicas to fix an assertion (#11615)

  • Avoid propagating DEL of lazy expire from SCAN and RANDOMKEY as MULTI-EXEC (#11788)


Performance and resource utilization improvements

  • Avoid realloc to reduce size of strings when it is unneeded (#11766)

  • Improve CLUSTER SLOTS reply efficiency for non-continuous slots (#11745)


Redis 6.2.11


Upgrade urgency: SECURITY, contains fixes to security issues.


Security Fixes

  • (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD
    commands can trigger an integer overflow, resulting in a runtime assertion
    and termination of the Redis server process.

  • (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially
    crafted pattern to trigger a denial-of-service attack on Redis, causing it to
    hang and consume 100% CPU time.


Bug Fixes

  • Fix a crash when reaching the maximum invalidations limit of client-side tracking (#11814)

  • Fix cluster inbound link keepalive time (#11785)

  • Make sure that fork child doesn't do incremental rehashing (#11692)


Performance and resource utilization improvements

  • Avoid realloc to reduce size of strings when it is unneeded (#11766)


Redis 6.0.18


Upgrade urgency: SECURITY, contains fixes to security issues.


Security Fixes

  • (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD
    commands can trigger an integer overflow, resulting in a runtime assertion
    and termination of the Redis server process.

  • (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially
    crafted pattern to trigger a denial-of-service attack on Redis, causing it to
    hang and consume 100% CPU time.


Bug Fixes

  • Make sure that fork child doesn't do incremental rehashing (#11692)

  • Fix cluster inbound link keepalive time (#11785)


Cheers,

The Redis core team


Reply all
Reply to author
Forward
0 new messages