- redis 7.2.2:
* (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a
race condition that can be used by another process to bypass desired Unix
socket permissions on startup, bsc#1216376
* WAITAOF could timeout in the absence of write traffic in case a new AOF is
created and an AOF rewrite can't immediately start
* Fix crash when running rebalance command in a mixed cluster of 7.0 and 7.2
nodes
* Fix the return type of the slot number in cluster shards to integer, which
makes it consistent with past behavior
* Fix CLUSTER commands are called from modules or scripts to return TLS info
appropriately
redis-cli, fix crash on reconnect when in SUBSCRIBE mode
* Fix overflow calculation for next timer event
OBS-URL: https://build.opensuse.org/request/show/1119207
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=230
- redis 7.2.1:
* (CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and,
as a result, may grant users executing this command access to keys that are not
explicitly authorized by the ACL configuration. (bsc#1215094)
* Fix crashes when joining a node to an existing 7.0 Redis Cluster
* Correct request_policy and response_policy command tips on for some admin /
configuration commands
- Refresh redis.hashes
OBS-URL: https://build.opensuse.org/request/show/1109571
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=229
- redis 7.2.0
- Bug Fixes
- redis-cli in cluster mode handles unknown-endpoint (#12273)
- Update request / response policy hints for a few commands
(#12417)
- Ensure that the function load timeout is disabled during
loading from RDB/AOF and on replicas. (#12451)
- Fix false success and a memory leak for ACL selector with bad
parenthesis combination (#12452)
- Fix the assertion when script timeout occurs after it
signaled a blocked client (#12459)
- Fixes for issues in previous releases of Redis 7.2
- Update MONITOR client's memory correctly for INFO and
client-eviction (#12420)
- The response of cluster nodes was unnecessarily adding an
extra comma when no hostname was present. (#12411)
- refreshed redis-conf.patch:
- switch to autosetup now that we switched the last patch to patch
level 1
OBS-URL: https://build.opensuse.org/request/show/1104035
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=228
- redis 7.0.12:
* (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
a heap overflow in the cjson and cmsgpack libraries, and result in heap
corruption and potentially remote code execution. The problem exists in all
versions of Redis with Lua scripting support, starting from 2.6, and affects
only authenticated and authorized users. (bsc#1213193)
* (CVE-2023-36824) Extracting key names from a command and a list of arguments
may, in some cases, trigger a heap overflow and result in reading random heap
memory, heap corruption and potentially remote code execution. Specifically:
using COMMAND GETKEYS* and validation of key names in ACL rules. (bsc#1213249)
* Re-enable downscale rehashing while there is a fork child
* Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count>
* Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER,
SPOP, and eviction
* Fix WAIT to be effective after a blocked module command being unblocked
* Avoid unnecessary full sync after master restart in a rare case
OBS-URL: https://build.opensuse.org/request/show/1098376
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=226
- Update to version 7.0.5 (boo#1203638)
+ Security Fixes:
* (CVE-2022-35951) Executing a XAUTOCLAIM command on a stream key in a specific
state, with a specially crafted COUNT argument, may cause an integer overflow,
a subsequent heap overflow, and potentially lead to remote code execution.
The problem affects Redis versions 7.0.0 or newer
[reported by Xion (SeungHyun Lee) of KAIST GoN].
+ Module API changes
* Fix RM_Call execution of scripts when used with M/W/S flags to properly
handle script flags (#11159)
* Fix RM_SetAbsExpire and RM_GetAbsExpire API registration (#11025, #8564)
+ Bug Fixes
* Fix a hang when eviction is combined with lazy-free and maxmemory-eviction-tenacity is set to 100 (#11237)
* Fix a crash when a replica may attempt to set itself as its master as a result of a manual failover (#11263)
* Fix a bug where a cluster-enabled replica node may permanently set its master's hostname to '?' (#10696)
* Fix a crash when a Lua script returns a meta-table (#11032)
+ Fixes for issues in previous releases of Redis 7.0
* Fix redis-cli to do DNS lookup before sending CLUSTER MEET (#11151)
* Fix crash when a key is lazy expired during cluster key migration (#11176)
* Fix AOF rewrite to fsync the old AOF file when a new one is created (#11004)
* Fix some crashes involving a list containing entries larger than 1GB (#11242)
* Correctly handle scripts with a non-read-only shebang on a cluster replica (#11223)
* Fix memory leak when unloading a module (#11147)
* Fix bug with scripts ignoring client tracking NOLOOP (#11052)
* Fix client-side tracking breaking protocol when FLUSHDB / FLUSHALL / SWAPDB is used inside MULTI-EXEC (#11038)
* Fix ACL: BITFIELD with GET and also SET / INCRBY can be executed with read-only key permission (#11086)
* Fix missing sections for INFO ALL when also requesting a module info section (#11291)
OBS-URL: https://build.opensuse.org/request/show/1005288
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=205
- redis 6.2.1
Bug fixes:
* Fix sanitize-dump-payload for stream with deleted records (#8568)
* Prevent client-query-buffer-limit config from being set to lower than 1mb (#8557)
Improvements:
* Make port, tls-port and bind config options modifiable at runtime (#8510)
Platform and deployment-related changes:
* Fix compilation error on non-glibc systems if jemalloc is not used (#8533)
* Improved memory consumption and memory usage tracking on FreeBSD (#8545)
* Fix compilation on ARM64 MacOS with jemalloc (#8458)
Modules:
* New Module API for getting user name of a client (#8508)
* Optimize RM_Call by utilizing a shared reusable client (#8516)
* Fix crash running CLIENT INFO via RM_Call (#8560)
- includes changes from 6.2.0 GA:
* Integer overflow on 32-bit systems (CVE-2021-21309)
Bug fixes:
* Avoid 32-bit overflows when proto-max-bulk-len is set high (#8522)
* Fix broken protocol in client tracking tracking-redir-broken message (#8456)
* Avoid unsafe field name characters in INFO commandstats, errorstats, modules (#8492)
* XINFO able to access expired keys during CLIENT PAUSE WRITE (#8436)
* Fix allowed length for REPLCONF ip-address, needed due to Sentinel's support for hostnames (#8517)
* Fix broken protocol in redis-benchmark when used with -a or --dbnum (#8486)
* XADD counts deleted records too when considering switching to a new listpack (#8390)
Bug fixes that are only applicable to previous releases of Redis 6.2:
* Fixes in GEOSEARCH bybox (accuracy and mismatch between width and height) (#8445)
* Fix risk of OOM panic in HRANDFIELD, ZRANDMEMBER commands with huge negative count (#8429)
* Fix duplicate replicas issue in Sentinel, needed due to hostname support (#8481)
* Fix Sentinel configuration rewrite, an improvement of #8271 (#8480)
OBS-URL: https://build.opensuse.org/request/show/877720
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=169