You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Redis mailing list
Hi all,
We've just released Redis 6.2.7. This patch-level release addresses several issues, including fixes to two security vulnerabilities.
Following are the release notes:
Security Fixes
(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. This issue affects all versions of Redis. [reported by Aviv Yahav].
(CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. [reported by Aviv Yahav].
Potentially Breaking Fixes
LPOP/RPOP with count against non-existing list return null array (#10095)
LPOP/RPOP used to produce wrong replies when count is 0 (#9692)
Performance and resource utilization improvements
Speed optimization in command execution pipeline (#10502)
Fix regression in Z[REV]RANGE commands (by-rank) introduced in Redis 6.2 (#10337)
Platform / toolchain support related improvements
Fix RSS metrics on NetBSD and OpenBSD (#10116,#10149)