[RELEASE] Redis 6.2.6, 6.0.16 and 5.0.14 are out

293 views
Skip to first unread message

re...@redis.io

unread,
Oct 4, 2021, 8:03:20 AMOct 4
to Redis mailing list

Howdy folks,

Today's releases address a number of security issues as detailed below. You should consider upgrading to mitigate the risk from malicious actors.

  • (CVE-2021-41099) Integer to heap buffer overflow handling certain string
    commands and network payloads, when proto-max-bulk-len is manually configured
    to a non-default, very large value [reported by yiyuaner].
  • (CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and
    redis-sentinel parsing large multi-bulk replies on some older and less common
    platforms [reported by Microsoft Vulnerability Research].
  • (CVE-2021-32687) Integer to heap buffer overflow with intsets, when
    set-max-intset-entries is manually configured to a non-default, very large
    value [reported by Pawel Wieczorkiewicz, AWS].
  • (CVE-2021-32675) Denial Of Service when processing RESP request payloads with
    a large number of elements on many connections.
  • (CVE-2021-32672) Random heap reading issue with Lua Debugger [reported by
    Meir Shpilraien].
  • (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded
    data types, when configuring a large, non-default value for
    hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries
    or zset-max-ziplist-value [reported by sundb].
  • (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when
    configuring a non-default, large value for proto-max-bulk-len and
    client-query-buffer-limit [reported by sundb].
  • (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer
    overflow [reported by Meir Shpilraien].

Redis 6.2.6

Bug fixes that involve behavior changes:

  • GEO* STORE with empty source key deletes the destination key and return 0 (#9271)
    Previously it would have returned an empty array like the non-STORE variant.
  • PUBSUB NUMPAT replies with number of patterns rather than number of subscriptions (#9209)
    This actually changed in 6.2.0 but was overlooked and omitted from the release notes.

Bug fixes that are only applicable to previous releases of Redis 6.2:

  • Fix CLIENT PAUSE, used an old timeout from previous PAUSE (#9477)
  • Fix CLIENT PAUSE in a replica would mess the replication offset (#9448)
  • Add some missing error statistics in INFO errorstats (#9328)

Other bug fixes:

  • Fix incorrect reply of COMMAND command key positions for MIGRATE command (#9455)
  • Fix appendfsync to always guarantee fsync before reply, on MacOS and FreeBSD (kqueue) (#9416)
  • Fix the wrong misdetection of sync_file_range system call, affecting performance (#9371)

CLI tools:

  • When redis-cli received ASK response, it didn't handle it (#8930)

Improvements:

  • Add latency monitor sample when key is deleted via lazy expire (#9317)
  • Sanitize corrupt payload improvements (#9321, #9399)
  • Delete empty keys when loading RDB file or handling a RESTORE command (#9297, #9349)

Redis 6.0.16

Other bug fixes:

  • Fix appendfsync to always guarantee fsync before reply, on MacOS and FreeBSD (kqueue) (#9416)
  • Fix the wrong misdetection of sync_file_range system call, affecting performance (#9371)
  • Fix replication issues when repl-diskless-load is used (#9280)

Redis 5.0.14

No additional changes.

Cheers,
The Redis Team

lafengnan

unread,
Nov 6, 2021, 3:33:25 PMNov 6
to Redis DB
Hi Redis Team,

Does team support Redis 3.2.x versions for such security upgrade? 

Thanks,
Chris

Itamar Haber

unread,
Nov 6, 2021, 3:37:25 PMNov 6
to Redis DB
Hello Lafengnan,

The team aims to support the latest two major versions only, so versions 3 and 4 are no longer maintained. You can read more about the project's releases at https://redis.io/topics/releases.

Cheers,
Itamar

Reply all
Reply to author
Forward
0 new messages