Log message:
redis: update to 6.2.7.

================================================================================
Redis 6.2.7 Released Wed Apr 27 12:00:00 IDT 2022
================================================================================

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:
* (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script
  can cause NULL pointer dereference which will result with a crash of the
  redis-server process. This issue affects all versions of Redis.
  [reported by Aviv Yahav].
* (CVE-2022-24735) By exploiting weaknesses in the Lua script execution
  environment, an attacker with access to Redis can inject Lua code that will
  execute with the (potentially higher) privileges of another Redis user.
  [reported by Aviv Yahav].

Potentially Breaking Fixes
==========================

* LPOP/RPOP with count against non-existing list return null array (#10095)
* LPOP/RPOP used to produce wrong replies when count is 0 (#9692)

Performance and resource utilization improvements
=================================================

* Speed optimization in command execution pipeline (#10502)
* Fix regression in Z[REV]RANGE commands (by-rank) introduced in Redis 6.2 (#10337)

Platform / toolchain support related improvements
=================================================

* Fix RSS metrics on NetBSD and OpenBSD (#10116, #10149)
* Fix OpenSSL 3.0.x related issues (#10291)

Bug Fixes
=========

* Lua: Add checks for min-slave-* configs when evaluating Lua scripts (#10160)
* Lua: fix crash on a script call with many arguments, a regression in v6.2.6 (#9809)
* Tracking: Make invalidation messages always after command's reply (#9422)
* Fix excessive stream trimming due to an overflow (#10068)
* Add missed error counting for INFO errorstats (#9646)
* Fix geo search bounding box check causing missing results (#10018)
* Improve EXPIRE TTL overflow detection (#9839)
* Modules: Fix thread safety violation when a module thread adds an error reply, \ 
broken in 6.2 (#10278)
* Modules: Fix missing and duplicate error stats (#10278)
* Module APIs: release clients blocked on module commands in cluster resharding
  and down state (#9483)
* Sentinel: Fix memory leak with TLS (#9753)
* Sentinel: Fix issues with hostname support (#10146)
* Sentinel: Fix election failures on certain container environments (#10197)

Log message:
databases: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

The following distfiles could not be fetched (some may be only fetched
conditionally):

./databases/cstore/distinfo D6.data.ros.gz
./databases/cstore/distinfo cstore0.2.tar.gz
./databases/cstore/distinfo data4.tar.gz

Log message:
databases: Remove SHA1 distfile hashes

Log message:
redis: updated to 6.2.6

Redis 6.2.6

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:
* (CVE-2021-41099) Integer to heap buffer overflow handling certain string
  commands and network payloads, when proto-max-bulk-len is manually configured
  to a non-default, very large value [reported by yiyuaner].
* (CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and
  redis-sentinel parsing large multi-bulk replies on some older and less common
  platforms [reported by Microsoft Vulnerability Research].
* (CVE-2021-32687) Integer to heap buffer overflow with intsets, when
  set-max-intset-entries is manually configured to a non-default, very large
  value [reported by Pawel Wieczorkiewicz, AWS].
* (CVE-2021-32675) Denial Of Service when processing RESP request payloads with
  a large number of elements on many connections.
* (CVE-2021-32672) Random heap reading issue with Lua Debugger [reported by
  Meir Shpilraien].
* (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded
  data types, when configuring a large, non-default value for
  hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries
  or zset-max-ziplist-value [reported by sundb].
* (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when
  configuring a non-default, large value for proto-max-bulk-len and
  client-query-buffer-limit [reported by sundb].
* (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer
  overflow [reported by Meir Shpilraien].

Bug fixes that involve behavior changes:
* GEO* STORE with empty source key deletes the destination key and return 0
  Previously it would have returned an empty array like the non-STORE variant.
* PUBSUB NUMPAT replies with number of patterns rather than number of subscriptions
  This actually changed in 6.2.0 but was overlooked and omitted from the release \ 
notes.

Bug fixes that are only applicable to previous releases of Redis 6.2:
* Fix CLIENT PAUSE, used an old timeout from previous PAUSE
* Fix CLIENT PAUSE in a replica would mess the replication offset
* Add some missing error statistics in INFO errorstats

Other bug fixes:
* Fix incorrect reply of COMMAND command key positions for MIGRATE command
* Fix appendfsync to always guarantee fsync before reply, on MacOS and FreeBSD \ 
(kqueue)
* Fix the wrong mis-detection of sync_file_range system call, affecting performance

CLI tools:
* When redis-cli received ASK response, it didn't handle it

Improvements:
* Add latency monitor sample when key is deleted via lazy expire
* Sanitize corrupt payload improvements
* Delete empty keys when loading RDB file or handling a RESTORE command

Log message:
redis: updated to 6.2.5

Redis 6.2.5
==========

Upgrade urgency: SECURITY, contains fixes to security issues that affect
authenticated client connections on 32-bit versions. MODERATE otherwise.

Fix integer overflow in BITFIELD on 32-bit versions (CVE-2021-32761).
An integer overflow bug in Redis version 2.2 or newer can be exploited using the
BITFIELD command to corrupt the heap and potentially result with remote code
execution.

Bug fixes that involve behavior changes:
* Change reply type for ZPOPMAX/MIN with count in RESP3 to nested array.
  Was using a flat array like in RESP2 instead of a nested array like ZRANGE does.
* Fix reply type for HRANDFIELD and ZRANDMEMBER when key is missing.
  Was using a null array instead of an empty array.
* Fix reply type for ZRANGESTORE when source key is missing.
  Was using an empty array like ZRANGE instead of 0 (used in the STORE variant).

Bug fixes that are only applicable to previous releases of Redis 6.2:
* ZRANDMEMBER WITHSCORES with negative COUNT may return bad score
* Fix crash after CLIENT UNPAUSE when threaded I/O config is enabled
* Fix XTRIM or XADD with LIMIT may delete more entries than the limit
* Fix build issue with OpenSSL 1.1.0

Other bug fixes:
* Fail EXEC command in case a watched key is expired
* Fix SMOVE not to invalidate dest key (WATCH and tracking) when member already \ 
exists
* Fix SINTERSTORE not to delete dest key when getting a wrong type error
* Fix overflows on 32-bit versions in GETBIT, SETBIT, BITCOUNT, BITPOS, and BITFIELD
* Improve MEMORY USAGE on stream keys
* Set TCP keepalive on inbound cluster bus connections
* Fix diskless replica loading to recover from RDB short read on module AUX data
* Fix race in client side tracking
* Fix ziplist length updates on big-endian platforms

CLI tools:
* redis-cli cluster import command may issue wrong MIGRATE command, sending COPY \ 
instead of REPLACE
* redis-cli --rdb fixes when using "-" to write to stdout
* redis-cli support for RESP3 set type in CSV and RAW output

Modules:
* Module API for getting current command name
* Fix RM_StringTruncate when newlen is 0
* Fix CLIENT UNBLOCK crashing modules without timeout callback

Log message:
redis: updated to 6.2.4

Redis 6.2.4
===========

Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. MODERATE otherwise.

Fix integer overflow in STRALGO LCS (CVE-2021-32625)
An integer overflow bug in Redis version 6.0 or newer can be exploited using the
STRALGO LCS command to corrupt the heap and potentially result with remote code
execution. This is a result of an incomplete fix by CVE-2021-29477.

Bug fixes that are only applicable to previous releases of Redis 6.2:
* Fix crash after a diskless replication fork child is terminated
* Fix redis-benchmark crash on unsupported configs

Other bug fixes:
* Fix crash in UNLINK on a stream key with deleted consumer groups
* SINTERSTORE: Add missing keyspace del event when none of the sources exist
* Sentinel: Fix CONFIG SET of empty string sentinel-user/sentinel-pass configs
* Enforce client output buffer soft limit when no traffic

Improvements:
* Hide AUTH passwords in MIGRATE command from slowlog

Log message:
redis: updated to 6.2.3

================================================================================
Redis 6.2.3 Released Mon May 3 19:00:00 IST 2021
================================================================================

Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. LOW otherwise.

Integer overflow in STRALGO LCS command (CVE-2021-29477):
An integer overflow bug in Redis version 6.0 or newer could be exploited using
the STRALGO LCS command to corrupt the heap and potentially result in remote
code execution. The integer overflow bug exists in all versions of Redis
starting with 6.0.

Integer overflow in COPY command for large intsets (CVE-2021-29478):
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
potentially result with remote code execution. The vulnerability involves
changing the default set-max-intset-entries configuration value, creating a
large set key that consists of integer values and using the COPY command to
duplicate it. The integer overflow bug exists in all versions of Redis starting
with 2.6, where it could result with a corrupted RDB or DUMP payload, but not
exploited through COPY (which did not exist before 6.2).

Bug fixes that are only applicable to previous releases of Redis 6.2:
* Fix memory leak in moduleDefragGlobals
* Fix memory leak when doing lazy freeing client tracking table
* Block abusive replicas from sending command that could assert and crash redis

Other bug fixes:
* Use a monotonic clock to check for Lua script timeout
* redis-cli: Do not use unix socket when we got redirected in cluster mode

Modules:
* Fix RM_GetClusterNodeInfo() to correctly populate master id

Log message:
redis: updated to 6.2.2

Redis 6.2.2
===========

Upgrade urgency: HIGH, if you're using ACL and pub/sub, CONFIG REWRITE, or
suffering from performance regression. see below.

Bug fixes for regressions in previous releases of Redis 6.2:
* Fix BGSAVE, AOFRW, and replication slowdown due to child reporting CoW
* Fix short busy loop when timer event is about to fire
* Fix default user, overwritten and reset users losing pubsub channel permissions
* Fix config rewrite with an empty `save` config resulsing in default `save` values
* Fix not starting on alpine/libmusl without IPv6
* Fix issues with propagation and MULTI/EXEC in modules
  Several issues around nested calls and thread safe contexts

Bug fixes that are only applicable to previous releases of Redis 6.2:
* ACL Pub/Sub channels permission handling for save/load scenario
* Fix early rejection of PUBLISH inside MULTI-EXEC transaction
* Fix missing SLOWLOG records for blocked commands
* Allow RESET command during busy scripts
* Fix some error replies were not counted on stats

Bug fixes:
* Add a timeout mechanism for replicas stuck in fullsync
* Process HELLO command even if the default user has no permissions
* Client issuing a long running script and using a pipeline, got disconnected
* Fix script kill to work also on scripts that use `pcall`
* Fix list-compress-depth may compress more node than required
* Fix redis-cli handling of rediss:// URL scheme
* Cluster: Skip unnecessary check which may prevent failure detection
* Cluster: Fix hang manual failover when replica just started
* Sentinel: Fix info-refresh time field before sentinel get first response
* Sentinel: Fix possible crash on failed connection attempt
* Systemd: Send the readiness notification when a replica is ready to accept \ 
connections

Command behavior changes:
* ZADD: fix wrong reply when INCR used with GT/LT which blocked the update
  It was responding with the incremented value rather than nil
* XAUTOCLAIM: fix response to return the next available id as the cursor
  Previous behavior was retuning the last one which was already scanned
* XAUTOCLAIM: fix JUSTID to prevent incrementing delivery_count

New config options:
* Add cluster-allow-replica-migration config option
* Add replica-announced config option
* Add support for plaintext clients in TLS cluster
* Add support for reading encrypted keyfiles

Improvements:
* Fix performance regression in BRPOP on Redis 6.0
* Avoid adding slowlog entries for config with sensitive data
* Improve redis-cli non-binary safe string handling
* Optimize CLUSTER SLOTS reply
* Handle remaining fsync errors

Info fields and introspection changes:
* Strip % sign from current_fork_perc info field
* Fix RSS memory info on FreeBSD
* Fix client_recent_max_input/output_buffer in 'INFO CLIENTS' when all clients drop
* Fix invalid master_link_down_since_seconds in info replication

Platform and deployment-related changes:
* Fix FreeBSD <12.x builds

Modules:
* Add macros for RedisModule_log logging levels
* Add RedisModule_GetAbsExpire / RedisModule_SetAbsExpire
* Add a module type for key space notification
* Set module eviction context flag only in masters
* Fix unusable RedisModule_IsAOFClient API
* Fix missing EXEC on modules propagation after failed EVAL execution
* Fix edge-case when a module client is unblocked

Log message:
redis: Fix config file permissions.

The previous change for CVE-2016-2121 installed a configuration file that could
not be read by the default redis user.  Bump PKGREVISION.

Log message:
redis: updated to 6.2.1

Redis 6.2.1

Upgrade urgency: LOW.

Bug fixes:
* Fix sanitize-dump-payload for stream with deleted records
* Prevent client-query-buffer-limit config from being set to lower than 1mb

Improvements:
* Make port, tls-port and bind config options modifiable at runtime

Platform and deployment-related changes:
* Fix compilation error on non-glibc systems if jemalloc is not used
* Improved memory consumption and memory usage tracking on FreeBSD
* Fix compilation on ARM64 MacOS with jemalloc

Modules:
* New Module API for getting user name of a client
* Optimize RM_Call by utilizing a shared reusable client
* Fix crash running CLIENT INFO via RM_Call