Subject: CVS commit: [pkgsrc-2022Q3] pkgsrc/databases/redis
From: S.P.Zeidler
Date: 2022-11-26 18:28:11
Message id: 20221126172811.B4DFDFA90@cvs.NetBSD.org

Log Message:
Pullup ticket #6705 - requested by bsiegert
databases/redis: security update

Revisions pulled up:
- databases/redis/Makefile                                      1.74
- databases/redis/distinfo                                      1.67
- databases/redis/patches/patch-src_Makefile                    1.6

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Tue Nov 22 19:11:11 UTC 2022

   Modified Files:
           pkgsrc/databases/redis: Makefile distinfo
           pkgsrc/databases/redis/patches: patch-src_Makefile

   Log Message:
   redis: updated to 7.0.5

   Redis 7.0.5 Released Wed Sep 21 20:00:00 IST 2022
   ========================================

   Upgrade urgency: SECURITY, contains fixes to security issues.

   Security Fixes:
   * (CVE-2022-35951) Executing a XAUTOCLAIM command on a stream key in a specific
     state, with a specially crafted COUNT argument, may cause an integer overflow,
     a subsequent heap overflow, and potentially lead to remote code execution.
     The problem affects Redis versions 7.0.0 or newer
     [reported by Xion (SeungHyun Lee) of KAIST GoN].

   Module API changes
   =========

   * Fix RM_Call execution of scripts when used with M/W/S flags to properly
     handle script flags
   * Fix RM_SetAbsExpire and RM_GetAbsExpire API registration

   Bug Fixes
   ====
   * Fix a hang when eviction is combined with lazy-free and
   maxmemory-eviction-tenacity is set to 100
   * Fix a crash when a replica may attempt to set itself as its master
   as a result of a manual failover
   * Fix a bug where a cluster-enabled replica node may permanently set
   its master's hostname to '?'
   * Fix a crash when a Lua script returns a meta-table

   Fixes for issues in previous releases of Redis 7.0
   --------------------------------------------------

   * Fix redis-cli to do DNS lookup before sending CLUSTER MEET
   * Fix crash when a key is lazy expired during cluster key migration
   * Fix AOF rewrite to fsync the old AOF file when a new one is created
   * Fix some crashes involving a list containing entries larger than 1GB
   * Correctly handle scripts with a non-read-only shebang on a cluster replica
   * Fix memory leak when unloading a module
   * Fix bug with scripts ignoring client tracking NOLOOP
   * Fix client-side tracking breaking protocol when FLUSHDB / FLUSHALL /
   SWAPDB is used inside MULTI-EXEC
   * Fix ACL: BITFIELD with GET and also SET / INCRBY can be executed
   with read-only key permission
   * Fix missing sections for INFO ALL when also requesting a module info section

   ========================================
   Redis 7.0.4 Released Monday Jul 18 12:00:00 IST 2022
   ========================================

   Upgrade urgency: SECURITY, contains fixes to security issues.

   Security Fixes:
   * (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream
     key in a specific state may result with heap overflow, and potentially
     remote code execution. The problem affects Redis versions 7.0.0 or newer.

   ========================================
   Redis 7.0.3 Released Monday Jul 11 12:00:00 IST 2022
   ========================================

   Upgrade urgency: MODERATE, specifically if you're using a previous release of
   Redis 7.0, contains fixes for bugs in previous 7.0 releases.

   Performance and resource utilization improvements
   ========================
   * Optimize zset conversion on large ZRANGESTORE
   * Optimize the performance of sending PING on large clusters
   * Allow for faster restart of Redis in cluster mode

   INFO fields and introspection changes
   ==================
   * Add missing sharded pubsub keychannel count to CLIENT LIST
   * Add missing pubsubshard_channels field in INFO STATS

   Module API changes
   =========

   * Add RM_StringToULongLong and RM_CreateStringFromULongLong
   * Add RM_SetClientNameById and RM_GetClientNameById

   Changes in CLI tools
   ==========

   * Add missing cluster-port support to redis-cli --cluster

   Other General Improvements
   =============

   * Account sharded pubsub channels memory consumption
   * Allow ECHO in loading and stale modes
   * Cluster: Throw -TRYAGAIN instead of -ASK on migrating nodes for multi-key
     commands when the node only has some of the keys

   Bug Fixes
   ====
   * TLS: Notify clients on connection shutdown
   * Fsync directory while persisting AOF manifest, RDB file, and config file
   * Script that made modification will not break with unexpected NOREPLICAS error
   * Cluster: Fix a bug where nodes may not acknowledge a CLUSTER FAILOVER TAKEOVER
     after a replica reboots
   * Cluster: Fix crash during handshake and cluster shards call

   Fixes for issues in previous releases of Redis 7.0
   --------------------------------------------------

   * TLS: Fix issues with large replies
   * Correctly report the startup warning for vm.overcommit_memory
   * redis-server command line allow passing config name and value in the
   same argument
   * Support --save command line argument with no value for backwards compatibility
   * Fix CLUSTER RESET command regression requiring an argument

   ========================================
   Redis 7.0.2 Released Sunday Jun 12 12:00:00 IST 2022
   ========================================

   Upgrade urgency: MODERATE, specifically if you're using a previous release of
   Redis 7.0, contains fixes for bugs in previous 7.0 releases.

   Bug Fixes
   ====
   * Fixed SET and BITFIELD commands being wrongly marked movablekeys
     Regression in 7.0 possibly resulting in excessive roundtrip from
   cluster clients.
   * Fix crash when /proc/sys/vm/overcommit_memory is inaccessible
     Regression in 7.0.1 resulting in crash on startup on some configurations.

   ========================================
   Redis 7.0.1 Released Wed Jun 8 12:00:00 IST 2022
   ========================================

   Upgrade urgency: MODERATE, specifically if you're using a previous release of
   Redis 7.0, contains some behavior changes for new 7.0 features and important
   fixes for bugs in previous 7.0 releases.

   Improvements
   ======

   * Add warning for suspected slow system clocksource setting
     Add --check-system command line option.
   * Allow read-only scripts (*_RO commands, and ones with `no-writes` flag)
     during CLIENT PAUSE WRITE
   * Add `readonly` flag in COMMAND command for EVAL_RO, EVALSHA_RO and FCALL_RO
   * redis-server command line arguments now accept one string with spaces
     for multi-arg configs

   Potentially Breaking Changes
   ==============

   * Omitting a config option value in command line argument no longer works
   * Hide the `may_replicate` flag from the COMMAND command response

   Potentially Breaking Changes for new Redis 7.0 features
   -------------------------------------------------------

   * Protocol: Sharded pubsub publish emits `smessage` instead of `message`
   * CLUSTER SHARDS returns slots as RESP integers, not strings
   * Block PFCOUNT and PUBLISH in read-only scripts (*_RO commands, and no-writes)
   * Scripts that declare the `no-writes` flag are implicitly `allow-oom` too

   Changes in CLI tools
   ==========

   * redis-cli --bigkeys, --memkeys, --hotkeys, --scan. Finish nicely after Ctrl+C

   Platform / toolchain support related improvements
   ========================
   * Support tcp-keepalive config interval on MacOs
   * Support RSS metrics on Haiku OS

   INFO fields and introspection changes
   ==================
   * Add isolated network metrics for replication.

   Module API changes
   =========

   * Add two more new checks to RM_Call script mode
   * Add new RM_Call flag to let Redis automatically refuse `deny-oom` commands
   * Add module API RM_MallocUsableSize
   * Add missing REDISMODULE_NOTIFY_NEW
   * Fix cursor type in RedisModuleScanCursor to handle more than 2^31 elements
   * Fix RM_Yield bugs and RM_Call("EVAL") OOM check bug
   * Fix bugs in enum configs with overlapping bit flags

   Bug Fixes
   ====
   * FLUSHALL correctly resets rdb_changes_since_last_save INFO field
   * FLUSHDB is now propagated to replicas / AOF, even if the db is empty
   * Replica fail and retry the PSYNC if the master is unresponsive
   * Fix ZRANGESTORE crash when zset_max_listpack_entries is 0

   Fixes for issues in previous releases of Redis 7.0
   --------------------------------------------------

   * CONFIG REWRITE could cause a config change to be dropped for aliased configs
   * CONFIG REWRITE would omit rename-command and include lines
     NOTE: Affected users who used Redis 7.0.0 to rewrite their configuration file
     should review and fix the file.
   * Fix broken protocol after MISCONF (persistence) error
   * Fix --save command line regression
   * Fix possible regression around TLS config changes. re-load files even if the
     file name didn't change.
   * Re-add SENTINEL SLAVES command, missing in redis 7.0
   * BZMPOP gets unblocked by non-key args and returns them
   * Fix possible memory leak in XADD and XTRIM

   ========================================
   Redis 7.0.0 GA  Released Wed Apr 27 12:00:00 IST 2022
   ========================================

   Upgrade urgency: SECURITY, contains fixes to security issues.

   Security Fixes:
   * (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script
     can cause NULL pointer dereference which will result with a crash of the
     redis-server process. This issue affects all versions of Redis.
     [reported by Aviv Yahav].
   * (CVE-2022-24735) By exploiting weaknesses in the Lua script execution
     environment, an attacker with access to Redis can inject Lua code that will
     execute with the (potentially higher) privileges of another Redis user.
     [reported by Aviv Yahav].

   New Features
   ======

   * Keyspace event for new keys

   Command replies that have been extended
   ---------------------------------------

   * COMMAND DOCS shows deprecated_since field in command args
   * COMMAND DOCS shows module name where applicable

   Potentially Breaking Changes
   ==============

   * Replicas panic when they fail writing persistence
   * Prevent cross slot operations in functions and scripts with shebang
   * Rephrased some error responses about invalid commands or args
   * Lua scripts do not have access to the print() function

   Performance and resource utilization improvements
   ========================
   * Speed optimization in streams
   * Speed optimization in command execution pipeline
   * Speed optimization in listpack encoded sorted
   * Speed optimization in latency tracking at INFO (relevant for 7.0 RCs)
   * Speed optimization when there are many replicas (relevant for 7.0 RCs)

   New configuration options
   ============
   * Allow ignoring disk persistence errors on replicas
   * Allow abort with panic when replica fails to execute a command sent
   by the master
   * Allow configuring shutdown flags of SIGTERM and SIGINT
   * Allow attaching an operating system-specific identifier to Redis sockets

   Module API changes
   =========

   * Add argument specifying ACL reason for module log entry
     Breaking API compatibility with 7.0 RCs
   * Add the deprecated_since field in command args of COMMAND DOCS
     Breaking API/ABI compatibility with 7.0 RCs
   * Add module API flag for using enum configs as bit flags
   * Add RM_PublishMessageShard
   * Add RM_MallocSizeString, RM_MallocSizeDict
   * Add RM_TryAlloc

   Bug Fixes
   ====
   * Replica report disk persistence errors in PING
   * Fixes around rejecting commands on replicas and AOF when they must
   be respected
   * Durability fixes for appendfsync=always policy

   Fixes for issues in previous release candidates of Redis 7.0
   ------------------------------------------------------------

   * Fix possible crash on CONFIG REWRITE
   * Fix regression not aborting transaction on errors
   * Fix auto-aof-rewrite-percentage based AOFRW trigger after restart
   * Fix bugs when AOF enabled after startup, in case of failure before
   the first rewrite completes
   * Fix RM_Yield module API bug processing future commands of the current client

   To generate a diff of this commit:
   cvs rdiff -u -r1.73 -r1.74 pkgsrc/databases/redis/Makefile
   cvs rdiff -u -r1.66 -r1.67 pkgsrc/databases/redis/distinfo
   cvs rdiff -u -r1.5 -r1.6 pkgsrc/databases/redis/patches/patch-src_Makefile

Files:
RevisionActionfile
1.73.4.1modifypkgsrc/databases/redis/Makefile
1.66.4.1modifypkgsrc/databases/redis/distinfo
1.5.8.1modifypkgsrc/databases/redis/patches/patch-src_Makefile