- redis 7.2.2:
* (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a
race condition that can be used by another process to bypass desired Unix
socket permissions on startup, bsc#1216376
* WAITAOF could timeout in the absence of write traffic in case a new AOF is
created and an AOF rewrite can't immediately start
* Fix crash when running rebalance command in a mixed cluster of 7.0 and 7.2
nodes
* Fix the return type of the slot number in cluster shards to integer, which
makes it consistent with past behavior
* Fix CLUSTER commands are called from modules or scripts to return TLS info
appropriately
redis-cli, fix crash on reconnect when in SUBSCRIBE mode
* Fix overflow calculation for next timer event
OBS-URL: https://build.opensuse.org/request/show/1119207
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=230
- redis 7.2.1:
* (CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and,
as a result, may grant users executing this command access to keys that are not
explicitly authorized by the ACL configuration. (bsc#1215094)
* Fix crashes when joining a node to an existing 7.0 Redis Cluster
* Correct request_policy and response_policy command tips on for some admin /
configuration commands
- Refresh redis.hashes
OBS-URL: https://build.opensuse.org/request/show/1109571
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=229
- redis 7.2.0
- Bug Fixes
- redis-cli in cluster mode handles unknown-endpoint (#12273)
- Update request / response policy hints for a few commands
(#12417)
- Ensure that the function load timeout is disabled during
loading from RDB/AOF and on replicas. (#12451)
- Fix false success and a memory leak for ACL selector with bad
parenthesis combination (#12452)
- Fix the assertion when script timeout occurs after it
signaled a blocked client (#12459)
- Fixes for issues in previous releases of Redis 7.2
- Update MONITOR client's memory correctly for INFO and
client-eviction (#12420)
- The response of cluster nodes was unnecessarily adding an
extra comma when no hostname was present. (#12411)
- refreshed redis-conf.patch:
- switch to autosetup now that we switched the last patch to patch
level 1
OBS-URL: https://build.opensuse.org/request/show/1104035
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=228
- redis 7.0.12:
* (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
a heap overflow in the cjson and cmsgpack libraries, and result in heap
corruption and potentially remote code execution. The problem exists in all
versions of Redis with Lua scripting support, starting from 2.6, and affects
only authenticated and authorized users. (bsc#1213193)
* (CVE-2023-36824) Extracting key names from a command and a list of arguments
may, in some cases, trigger a heap overflow and result in reading random heap
memory, heap corruption and potentially remote code execution. Specifically:
using COMMAND GETKEYS* and validation of key names in ACL rules. (bsc#1213249)
* Re-enable downscale rehashing while there is a fork child
* Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count>
* Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER,
SPOP, and eviction
* Fix WAIT to be effective after a blocked module command being unblocked
* Avoid unnecessary full sync after master restart in a rare case
OBS-URL: https://build.opensuse.org/request/show/1098376
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=226
- Update to version 7.0.5 (boo#1203638)
+ Security Fixes:
* (CVE-2022-35951) Executing a XAUTOCLAIM command on a stream key in a specific
state, with a specially crafted COUNT argument, may cause an integer overflow,
a subsequent heap overflow, and potentially lead to remote code execution.
The problem affects Redis versions 7.0.0 or newer
[reported by Xion (SeungHyun Lee) of KAIST GoN].
+ Module API changes
* Fix RM_Call execution of scripts when used with M/W/S flags to properly
handle script flags (#11159)
* Fix RM_SetAbsExpire and RM_GetAbsExpire API registration (#11025, #8564)
+ Bug Fixes
* Fix a hang when eviction is combined with lazy-free and maxmemory-eviction-tenacity is set to 100 (#11237)
* Fix a crash when a replica may attempt to set itself as its master as a result of a manual failover (#11263)
* Fix a bug where a cluster-enabled replica node may permanently set its master's hostname to '?' (#10696)
* Fix a crash when a Lua script returns a meta-table (#11032)
+ Fixes for issues in previous releases of Redis 7.0
* Fix redis-cli to do DNS lookup before sending CLUSTER MEET (#11151)
* Fix crash when a key is lazy expired during cluster key migration (#11176)
* Fix AOF rewrite to fsync the old AOF file when a new one is created (#11004)
* Fix some crashes involving a list containing entries larger than 1GB (#11242)
* Correctly handle scripts with a non-read-only shebang on a cluster replica (#11223)
* Fix memory leak when unloading a module (#11147)
* Fix bug with scripts ignoring client tracking NOLOOP (#11052)
* Fix client-side tracking breaking protocol when FLUSHDB / FLUSHALL / SWAPDB is used inside MULTI-EXEC (#11038)
* Fix ACL: BITFIELD with GET and also SET / INCRBY can be executed with read-only key permission (#11086)
* Fix missing sections for INFO ALL when also requesting a module info section (#11291)
OBS-URL: https://build.opensuse.org/request/show/1005288
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=205
- redis 6.2.1
Bug fixes:
* Fix sanitize-dump-payload for stream with deleted records (#8568)
* Prevent client-query-buffer-limit config from being set to lower than 1mb (#8557)
Improvements:
* Make port, tls-port and bind config options modifiable at runtime (#8510)
Platform and deployment-related changes:
* Fix compilation error on non-glibc systems if jemalloc is not used (#8533)
* Improved memory consumption and memory usage tracking on FreeBSD (#8545)
* Fix compilation on ARM64 MacOS with jemalloc (#8458)
Modules:
* New Module API for getting user name of a client (#8508)
* Optimize RM_Call by utilizing a shared reusable client (#8516)
* Fix crash running CLIENT INFO via RM_Call (#8560)
- includes changes from 6.2.0 GA:
* Integer overflow on 32-bit systems (CVE-2021-21309)
Bug fixes:
* Avoid 32-bit overflows when proto-max-bulk-len is set high (#8522)
* Fix broken protocol in client tracking tracking-redir-broken message (#8456)
* Avoid unsafe field name characters in INFO commandstats, errorstats, modules (#8492)
* XINFO able to access expired keys during CLIENT PAUSE WRITE (#8436)
* Fix allowed length for REPLCONF ip-address, needed due to Sentinel's support for hostnames (#8517)
* Fix broken protocol in redis-benchmark when used with -a or --dbnum (#8486)
* XADD counts deleted records too when considering switching to a new listpack (#8390)
Bug fixes that are only applicable to previous releases of Redis 6.2:
* Fixes in GEOSEARCH bybox (accuracy and mismatch between width and height) (#8445)
* Fix risk of OOM panic in HRANDFIELD, ZRANDMEMBER commands with huge negative count (#8429)
* Fix duplicate replicas issue in Sentinel, needed due to hostname support (#8481)
* Fix Sentinel configuration rewrite, an improvement of #8271 (#8480)
OBS-URL: https://build.opensuse.org/request/show/877720
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=169
- add BR pkgconfig(libsystemd) for the rewritten systemd support
and force building with it
- Update to 6.0.1
* https://raw.githubusercontent.com/antirez/redis/6.0.1/00-RELEASENOTES
* XCLAIM AOF/replicas propagation fixed.
* Client side caching: new NOLOOP option to avoid getting
notified about changes performed by ourselves.
* ACL GENPASS now uses HMAC-SHA256 and have an optional
"bits" argument. It means you can use it as a general purpose
"secure random strings" primitive!
* Cluster "SLOTS" subcommand memory optimization.
* The LCS command is now a subcommand of STRALGO.
* Meaningful offset for replicas as well. More successful
partial resynchronizations.
* Optimize memory usage of deferred replies.
* Faster CRC64 algorithm for faster RDB loading.
* XINFO STREAM FULL, a new subcommand to get the whole stream
state.
* CLIENT KILL USER <username>.
* MIGRATE AUTH2 option, for ACL style authentication support.
* Other random bugfixes.
OBS-URL: https://build.opensuse.org/request/show/800054
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=143
- Refresh spec-file with spec-cleaner and manual optimizations
* Remove Group tag.
* Replace make by %make_build macros.
- Update to 5.0.8
* https://raw.githubusercontent.com/antirez/redis/5.0.8/00-RELEASENOTES
* Fix Pi building needing -latomic, backport.
* Fix impl of aof-child whitelist SIGUSR1 feature.
* Fix ThreadSafeContext lock/unlock function names.
* XREADGROUP should propagate XCALIM/SETID in MULTI/EXEC.
* Fix client flags to be int64 in module.c.
* Fix small bugs related to replica and monitor ambiguity.
* Fix lua related memory leak.
* Simplify #6379 changes.
* Free allocated sds in pfdebugCommand() to avoid memory leak.
* Jump to right label on AOF parsing error.
* Free fakeclient argv on AOF error.
* Fix potential memory leak of rioWriteBulkStreamID().
* Fix potential memory leak of clusterLoadConfig().
* Fix bug on KEYS command where pattern starts with * followed by \x00.
* Blocking XREAD[GROUP] should always reply with valid data.
* XCLAIM: Create the consumer only on successful claims.
* Stream: Handle streamID-related edge cases.
* Fix ip and missing mode in RM_GetClusterNodeInfo().
* Inline protocol: handle empty strings well.
* Mark extern definition of SDS_NOINIT in sds.h.
* Fix revisit CVE-2015-8080 vulnerability.
* Avoid sentinel changes promoted_slave to be its own replica.
OBS-URL: https://build.opensuse.org/request/show/786036
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=135
