Redis 6.2.3 and 6.0.13 are out to address two security issues that affect authenticated client connections.
- Integer overflow in STRALGO LCS command (CVE-2021-29477): An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. The integer overflow bug exists in all versions of Redis starting with 6.0.Integer overflow in COPY command for large intsets.
- (CVE-2021-29478): An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it. The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2).
Other than these fixes, the upgrade urgency is low. Following are the release notes for Redis 6.2.3:
Bug fixes that are only applicable to previous releases of Redis 6.2:
- Fix memory leak in moduleDefragGlobals (#8853)
- Fix memory leak when doing lazy freeing client tracking table (#8822)
- Block abusive replicas from sending commands that could assert and crash redis (#8868)
Other bug fixes:
- Use a monotonic clock to check for Lua script timeout (#8812)
- redis-cli: Do not use unix socket when we got redirected in cluster mode (#8870)
- Fix RM_GetClusterNodeInfo() to correctly populate master id (#8846)
The release notes for Redis 6.0.13 are:
- Cluster: Skip unnecessary check which may prevent failure detection (#8585)
- Fix not starting on alpine/libmusl without IPv6 (#8655)
- Fix performance regression in BRPOP on Redis 6.0 (#8689)
- Fix edge-case when a module client is unblocked (#8618)
The Redis Team