Releases: redis/redis
6.0.13
Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. LOW otherwise.
Integer overflow in STRALGO LCS command (CVE-2021-29477):
An integer overflow bug in Redis version 6.0 or newer could be exploited using
the STRALGO LCS command to corrupt the heap and potentially result in remote
code execution. The integer overflow bug exists in all versions of Redis
starting with 6.0.
Integer overflow in COPY command for large intsets (CVE-2021-29478):
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
potentially result in remote code execution. The vulnerability involves
changing the default set-max-intset-entries configuration value, creating a
large set key that consists of integer values and using the COPY command to
duplicate it. The integer overflow bug exists in all versions of Redis starting
with 2.6, where it could result with a corrupted RDB or DUMP payload, but not
exploited through COPY (which did not exist before 6.2).
Bug fixes:
- Cluster: Skip unnecessary check which may prevent failure detection (#8585)
- Fix not starting on alpine/libmusl without IPv6 (#8655)
Improvements:
- Fix performance regression in BRPOP on Redis 6.0 (#8689)
Modules:
- Fix edge-case when a module client is unblocked (#8618)
6.2.2
Upgrade urgency: HIGH, if you're using ACL and pub/sub, CONFIG REWRITE, or
suffering from performance regression. see below.
Bug fixes for regressions in previous releases of Redis 6.2:
- Fix BGSAVE, AOFRW, and replication slowdown due to child reporting CoW (#8645)
- Fix short busy loop when a timer event is about to fire (#8764)
- Fix default user, overwritten and reset users losing Pub/Sub channel permissions (#8723)
- Fix config rewrite with an empty
saveconfig resulting in defaultsavevalues (#8719) - Fix not starting on alpine/libmusl without IPv6 (#8655)
- Fix issues with propagation and MULTI/EXEC in modules (#8617)
Several issues around nested calls and thread-safe contexts
Bug fixes that are only applicable to previous releases of Redis 6.2:
- ACL Pub/Sub channels permission handling for save/load scenario (#8794)
- Fix early rejection of PUBLISH inside MULTI-EXEC transaction (#8534)
- Fix missing SLOWLOG records for blocked commands (#8632)
- Allow RESET command during busy scripts (#8629)
- Fix some error replies that were not counted on stats (#8659)
Bug fixes:
- Add a timeout mechanism for replicas stuck in fullsync (#8762)
- Process HELLO command even if the default user has no permissions (#8633)
- Client issuing a long-running script and using a pipeline, got disconnected (#8715)
- Fix script kill to work also on scripts that use
pcall(#8661) - Fix list-compress-depth may compress more node than required (#8311)
- Fix redis-cli handling of rediss:// URL scheme (#8705)
- Cluster: Skip unnecessary check which may prevent failure detection (#8585)
- Cluster: Fix hang manual failover when replica just started (#8651)
- Sentinel: Fix info-refresh time field before sentinel gets a first response (#8567)
- Sentinel: Fix possible crash on failed connection attempt (#8627)
- Systemd: Send the readiness notification when a replica is ready to accept connections (#8409)
Command behavior changes:
- ZADD: fix awrong reply when INCR used with GT/LT which blocked the update (#8717)
It was responding with the incremented value rather than nil - XAUTOCLAIM: fix response to return the next available id as the cursor (#8725)
Previous behavior was returning the last one which was already scanned - XAUTOCLAIM: fix JUSTID to prevent incrementing delivery_count (#8724)
New config options:
- Add cluster-allow-replica-migration config option (#5285)
- Add replica-announced config option (#8653)
- Add support for plaintext clients in TLS cluster (#8587)
- Add support for reading encrypted keyfiles (#8644)
Improvements:
- Fix performance regression in BRPOP on Redis 6.0 (#8689)
- Avoid adding slowlog entries for config with sensitive data (#8584)
- Improve redis-cli non-binary safe string handling (#8566)
- Optimize CLUSTER SLOTS reply (#8541)
- Handle remaining fsync errors (#8419)
Info fields and introspection changes:
- Strip % sign from current_fork_perc info field (#8628)
- Fix RSS memory info on FreeBSD (#8620)
- Fix client_recent_max_input/output_buffer in 'INFO CLIENTS' when all clients drop (#8588)
- Fix invalid master_link_down_since_seconds in info replication (#8785)
Platform and deployment-related changes:
- Fix FreeBSD <12.x builds (#8603)
Modules:
- Add macros for RedisModule_log logging levels (#4246)
- Add RedisModule_GetAbsExpire / RedisModule_SetAbsExpire (#8564)
- Add a module type for key space notification (#8759)
- Set module eviction context flag only in masters (#8631)
- Fix unusable RedisModule_IsAOFClient API (#8596)
- Fix missing EXEC on modules propagation after failed EVAL execution (#8654)
- Fix edge-case when a module client is unblocked (#8618)
6.2.1
Upgrade urgency: LOW.
Here is a comprehensive list of changes in this release compared to 6.2.0,
each one includes the PR number that added it, so you can get more details
at https://github.com/redis/redis/pull/
Bug fixes:
- Fix sanitize-dump-payload for stream with deleted records (#8568)
- Prevent client-query-buffer-limit config from being set to lower than 1mb (#8557)
Improvements:
- Make port, tls-port and bind config options modifiable at runtime (#8510)
Platform and deployment-related changes:
- Fix compilation error on non-glibc systems if jemalloc is not used (#8533)
- Improved memory consumption and memory usage tracking on FreeBSD (#8545)
- Fix compilation on ARM64 MacOS with jemalloc (#8458)
Modules:
6.0.12
5.0.12
6.2.0
Upgrade urgency: SECURITY if you use 32bit build of redis (see bellow), MODERATE
if you used earlier versions of Redis 6.2, LOW otherwise.
Integer overflow on 32-bit systems (CVE-2021-21309):
Redis 4.0 or newer uses a configurable limit for the maximum supported bulk
input size. By default, it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a large request from a client
may trigger several integer overflow scenarios, which would result with buffer
overflow and heap corruption.
Here is a comprehensive list of changes in this release compared to 6.2 RC3,
each one includes the PR number that added it, so you can get more details
at https://github.com/redis/redis/pull/
Bug fixes:
- Avoid 32-bit overflows when proto-max-bulk-len is set high (#8522)
- Fix broken protocol in client tracking tracking-redir-broken message (#8456)
- Avoid unsafe field name characters in INFO commandstats, errorstats, modules (#8492)
- XINFO able to access expired keys during CLIENT PAUSE WRITE (#8436)
- Fix allowed length for REPLCONF ip-address, needed due to Sentinel's support for hostnames (#8517)
- Fix broken protocol in redis-benchmark when used with -a or --dbnum (#8486)
- XADD counts deleted records too when considering switching to a new listpack (#8390)
Bug fixes that are only applicable to previous releases of Redis 6.2:
- Fixes in GEOSEARCH bybox (accuracy and mismatch between width and height) (#8445)
- Fix risk of OOM panic in HRANDFIELD, ZRANDMEMBER commands with huge negative count (#8429)
- Fix duplicate replicas issue in Sentinel, needed due to hostname support (#8481)
- Fix Sentinel configuration rewrite, an improvement of #8271 (#8480)
Command behavior changes:
- SRANDMEMBER uses RESP3 array type instead of set type (#8504)
- EXPIRE, EXPIREAT, SETEX, GETEX: Return error when provided expire time overflows (#8287)
Other behavior changes:
- Remove ACL subcommand validation if fully added command exists. (#8483)
Improvements:
- Optimize sorting in GEORADIUS / GEOSEARCH with COUNT (#8326)
- Optimize HRANDFIELD and ZRANDMEMBER case 4 when ziplist encoded (#8444)
- Optimize in-place replacement of elements in HSET, HINCRBY, LSET (#8493)
- Remove redundant list to store pubsub patterns (#8472)
- Add --insecure option to command line tools (#8416)
Info fields and introspection changes:
- Add INFO fields to track progress of BGSAVE, AOFRW, replication (#8414)
Modules:
6.0.11
Upgrade urgency: SECURITY if you use 32bit build of redis (see bellow), LOW
otherwise.
Integer overflow on 32-bit systems (CVE-2021-21309):
Redis 4.0 or newer uses a configurable limit for the maximum supported bulk
input size. By default, it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a large request from a client
may trigger several integer overflow scenarios, which would result with buffer
overflow and heap corruption.
Bug fixes:
- Avoid 32-bit overflows when proto-max-bulk-len is set high (#8522)
- Fix handling of threaded IO and CLIENT PAUSE (failover), could lead to data loss or a crash (#8520)
- Fix the selection of a random element from large hash tables (#8133)
- Fix broken protocol in client tracking tracking-redir-broken message (#8456)
- XINFO able to access expired keys on a replica (#8436)
- Fix broken protocol in redis-benchmark when used with -a or --dbnum (#8486)
- Avoid assertions (on older kernels) when testing arm64 CoW bug (#8405)
- CONFIG REWRITE should honor umask settings (#8371)
- Fix firstkey,lastkey,step in COMMAND command for some commands (#8367)
Modules:
- RM_ZsetRem: Delete key if empty, the bug could leave empty zset keys (#8453)
5.0.11
Upgrade urgency: SECURITY if you use 32bit build of redis (see bellow), LOW
otherwise.
Integer overflow on 32-bit systems (CVE-2021-21309):
Redis 4.0 or newer uses a configurable limit for the maximum supported bulk
input size. By default, it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a large request from a client
may trigger several integer overflow scenarios, which would result with buffer
overflow and heap corruption.
Bug fixes:
- Avoid 32-bit overflows when proto-max-bulk-len is set high (#8522)
- Fix an issue where a forked process deletes the parent's pidfile (#8231)
- Fix flock cluster config may cause failure to restart after kill -9 (#7674)
- Avoid an out-of-bounds read in the redis-sentinel (#7443)
Platform and deployment-related changes:
- Fix setproctitle related crashes. (#8150, #8088)
Caused various crashes on startup, mainly on Apple M1 chips or under
instrumentation. - Add a check for an ARM64 Linux kernel bug (#8224)
Due to the potential severity of this issue, Redis will refuse to run on
affected platforms by default.
Modules:
- RM_ZsetRem: Delete key if empty, the bug could leave empty zset keys (#8453)
6.2-rc3
Upgrade urgency LOW: This is the third Release Candidate of Redis 6.2.
Here is a comprehensive list of changes in this release compared to 6.2 RC2,
each one includes the PR number that added it, so you can get more details
at https://github.com/redis/redis/pull/
New commands / args:
- Add HRANDFIELD and ZRANDMEMBER commands (#8297)
- Add FAILOVER command (#8315)
- Add GETEX, GETDEL commands (#8327)
- Add PXAT/EXAT arguments to SET command (#8327)
- Add SYNC arg to FLUSHALL and FLUSHDB, and ASYNC/SYNC arg to SCRIPT FLUSH (#8258)
Sentinel:
- Add hostname support to Sentinel (#8282)
- Prevent file descriptors from leaking into Sentinel scripts (#8242)
- Fix config file line order dependency and config rewrite sequence (#8271)
New configuration options:
- Add set-proc-title config option to disable changes to the process title (#3623)
- Add proc-title-template option to control what's shown in the process title (#8397)
- Add lazyfree-lazy-user-flush config option to control FLUSHALL, FLUSHDB and SCRIPT FLUSH (#8258)
Bug fixes:
- AOF: recover from last write error by turning on/off appendonly config (#8030)
- Exit on fsync error when the AOF fsync policy is 'always' (#8347)
- Avoid assertions (on older kernels) when testing arm64 CoW bug (#8405)
- CONFIG REWRITE should honor umask settings (#8371)
- Fix firstkey,lastkey,step in COMMAND command for some commands (#8367)
Special considerations:
- Fix misleading description of the save configuration directive (#8337)
Improvements:
- A way to get RDB file via replication without excessive replication buffers (#8303)
- Optimize performance of clusterGenNodesDescription for large clusters (#8182)
Info fields and introspection changes:
- SLOWLOG and LATENCY monitor include unblocking time of blocked commands (#7491)
Modules:
- Add modules API for streams (#8288)
- Add event for fork child birth and termination (#8289)
- Add RM_BlockedClientMeasureTime* etc, to track background processing in commandstats (#7491)
- Fix bug in v6.2, wrong value passed to the new unlink callback (#8381)
- Fix bug in v6.2, modules blocked on keys unblock on commands like LPUSH (#8356)
6.0.10
Upgrade urgency MODERATE: several bugs with moderate impact are fixed,
Here is a comprehensive list of changes in this release compared to 6.0.9.
Command behavior changes:
- SWAPDB invalidates WATCHed keys (#8239)
- SORT command behaves differently when used on a writable replica (#8283)
- EXISTS should not alter LRU (#8016)
In Redis 5.0 and 6.0 it would have touched the LRU/LFU of the key. - OBJECT should not reveal logically expired keys (#8016)
Will now behave the same TYPE or any other non-DEBUG command. - GEORADIUS[BYMEMBER] can fail with -OOM if Redis is over the memory limit (#8107)
Other behavior changes:
- Sentinel: Fix missing updates to the config file after SENTINEL SET command (#8229)
- CONFIG REWRITE is atomic and safer, but requires write access to the config file's folder (#7824, #8051)
This change was already present in 6.0.9, but was missing from the release notes.
Bug fixes with compatibility implications (bugs introduced in Redis 6.0):
- Fix RDB CRC64 checksum on big-endian systems (#8270)
If you're using big-endian please consider the compatibility implications with
RESTORE, replication and persistence. - Fix wrong order of key/value in Lua's map response (#8266)
If your scripts use redis.setresp() or return a map (new in Redis 6.0), please
consider the implications.
Bug fixes:
- Fix an issue where a forked process deletes the parent's pidfile (#8231)
- Fix crashes when enabling io-threads-do-reads (#8230)
- Fix a crash in redis-cli after executing cluster backup (#8267)
- Handle output buffer limits for module blocked clients (#8141)
Could result in a module sending reply to a blocked client to go beyond the limit. - Fix setproctitle related crashes. (#8150, #8088)
Caused various crashes on startup, mainly on Apple M1 chips or under instrumentation. - Backup/restore cluster mode keys to slots map for repl-diskless-load=swapdb (#8108)
In cluster mode with repl-diskless-load, when loading failed, slot map wouldn't
have been restored. - Fix oom-score-adj-values range, and bug when used in config file (#8046)
Enabling setting this in the config file in a line after enabling it, would
have been buggy. - Reset average ttl when empty databases (#8106)
Just causing misleading metric in INFO - Disable rehash when Redis has child process (#8007)
This could have caused excessive CoW during BGSAVE, replication or AOFRW. - Further improved ACL algorithm for picking categories (#7966)
Output of ACL GETUSER is now more similar to the one provided by ACL SETUSER. - Fix bug with module GIL being released prematurely (#8061)
Could in theory (and rarely) cause multi-threaded modules to corrupt memory. - Reduce effect of client tracking causing feedback loop in key eviction (#8100)
- Fix cluster access to unaligned memory (SIGBUS on old ARM) (#7958)
- Fix saving of strings larger than 2GB into RDB files (#8306)
Additional improvements:
Platform / toolchain support related improvements:
- Fix crash log registers output on ARM. (#8020)
- Add a check for an ARM64 Linux kernel bug (#8224)
Due to the potential severity of this issue, Redis will print log warning on startup. - Raspberry build fix. (#8095)
New configuration options:
- oom-score-adj-values config can now take absolute values (besides relative ones) (#8046)
Module related fixes: