./databases/redis, Persistent key-value database with built-in net interface

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: pkgsrc-2021Q3, Version: 6.2.6, Package name: redis-6.2.6, Maintainer: pkgsrc-users

Redis is an advanced key-value store. It is similar to memcached but the
dataset is not volatile, and values can be strings, exactly like in memcached,
but also lists, sets, and ordered sets. All these data types can be manipulated
with atomic operations to push/pop elements, add/remove elements, perform
server side union, intersection, and difference between sets, and so forth.
Redis also supports different kinds of sorting.



Package options: ssl

Master sites:

SHA1: e9fb68dfcee194b438bd0af6e4cbc277a2a425e2
RMD160: 98607041365692d7feb19bf861b4bb32e799047e
Filesize: 2418.498 KB

Version history: (Expand)


CVS history: (Expand)


   2021-10-06 23:12:46 by Thomas Merkel | Files touched by this commit (3) | Package updated
Log message:
Pullup ticket #6503 - requested by taca
databases/redis: security fix

Revisions pulled up:
- databases/redis/Makefile                                      1.72
- databases/redis/distinfo                                      1.63
- databases/redis/patches/patch-src_Makefile                    1.5

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Mon Oct  4 18:55:36 UTC 2021

   Modified Files:
   	pkgsrc/databases/redis: Makefile distinfo
   	pkgsrc/databases/redis/patches: patch-src_Makefile

   Log message:
   redis: updated to 6.2.6

   Redis 6.2.6

   Upgrade urgency: SECURITY, contains fixes to security issues.

   Security Fixes:
   * (CVE-2021-41099) Integer to heap buffer overflow handling certain string
     commands and network payloads, when proto-max-bulk-len is manually configured
     to a non-default, very large value [reported by yiyuaner].
   * (CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and
     redis-sentinel parsing large multi-bulk replies on some older and less common
     platforms [reported by Microsoft Vulnerability Research].
   * (CVE-2021-32687) Integer to heap buffer overflow with intsets, when
     set-max-intset-entries is manually configured to a non-default, very large
     value [reported by Pawel Wieczorkiewicz, AWS].
   * (CVE-2021-32675) Denial Of Service when processing RESP request payloads with
     a large number of elements on many connections.
   * (CVE-2021-32672) Random heap reading issue with Lua Debugger [reported by
     Meir Shpilraien].
   * (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded
     data types, when configuring a large, non-default value for
     hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries
     or zset-max-ziplist-value [reported by sundb].
   * (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when
     configuring a non-default, large value for proto-max-bulk-len and
     client-query-buffer-limit [reported by sundb].
   * (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer
     overflow [reported by Meir Shpilraien].

   Bug fixes that involve behavior changes:
   * GEO* STORE with empty source key deletes the destination key and return 0
     Previously it would have returned an empty array like the non-STORE variant.
   * PUBSUB NUMPAT replies with number of patterns rather than number of \ 
subscriptions
     This actually changed in 6.2.0 but was overlooked and omitted from the \ 
release notes.

   Bug fixes that are only applicable to previous releases of Redis 6.2:
   * Fix CLIENT PAUSE, used an old timeout from previous PAUSE
   * Fix CLIENT PAUSE in a replica would mess the replication offset
   * Add some missing error statistics in INFO errorstats

   Other bug fixes:
   * Fix incorrect reply of COMMAND command key positions for MIGRATE command
   * Fix appendfsync to always guarantee fsync before reply, on MacOS and \ 
FreeBSD (kqueue)
   * Fix the wrong mis-detection of sync_file_range system call, affecting \ 
performance

   CLI tools:
   * When redis-cli received ASK response, it didn't handle it

   Improvements:
   * Add latency monitor sample when key is deleted via lazy expire
   * Sanitize corrupt payload improvements
   * Delete empty keys when loading RDB file or handling a RESTORE command