[SECURITY] Redis 7.0.12, 6.2.13 & 6.0.20 are out!

127 views
Skip to first unread message

Itamar Haber

unread,
Jul 10, 2023, 8:35:11 AM7/10/23
to Redis DB
Hi,

We've just released versions 7.0.12, 6.2.13, and 6.0.20 of Redis.
The main driver for these releases is a fix for CVE-2022-24834 - please take a look at the release notes below.

Redis 7.0.12
Upgrade urgency SECURITY: See security fixes below.

Security Fixes

• (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users.

• (CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules.

Bug Fixes

• Re-enable downscale rehashing while there is a fork child (#12276)

• Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count> (#12276)

• Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)

• Fix WAIT to be effective after a blocked module command being unblocked (#12220)

• Avoid unnecessary full sync after master restart in a rare case (#12088)

Redis 6.2.13
Upgrade urgency SECURITY: See security fixes below.

Security Fixes:

• (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users.

Bug Fixes

• Re-enable downscale rehashing while there is a fork child (#12276)

Redis 6.0.20
Upgrade urgency SECURITY: See security fixes below.

Security Fixes:

• (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users.

Bug Fixes

• Re-enable downscale rehashing while there is a fork child (#12276)

Cheers,
The Redis core team

Reply all
Reply to author
Forward
0 new messages