Path to this page:
Subject: CVS commit: [pkgsrc-2022Q3] pkgsrc/databases/redis
From: S.P.Zeidler
Date: 2022-11-26 18:28:11
Message id: 20221126172811.B4DFDFA90@cvs.NetBSD.org
Log Message:
Pullup ticket #6705 - requested by bsiegert
databases/redis: security update
Revisions pulled up:
- databases/redis/Makefile 1.74
- databases/redis/distinfo 1.67
- databases/redis/patches/patch-src_Makefile 1.6
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: adam
Date: Tue Nov 22 19:11:11 UTC 2022
Modified Files:
pkgsrc/databases/redis: Makefile distinfo
pkgsrc/databases/redis/patches: patch-src_Makefile
Log Message:
redis: updated to 7.0.5
Redis 7.0.5 Released Wed Sep 21 20:00:00 IST 2022
========================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2022-35951) Executing a XAUTOCLAIM command on a stream key in a specific
state, with a specially crafted COUNT argument, may cause an integer overflow,
a subsequent heap overflow, and potentially lead to remote code execution.
The problem affects Redis versions 7.0.0 or newer
[reported by Xion (SeungHyun Lee) of KAIST GoN].
Module API changes
=========
* Fix RM_Call execution of scripts when used with M/W/S flags to properly
handle script flags
* Fix RM_SetAbsExpire and RM_GetAbsExpire API registration
Bug Fixes
====
* Fix a hang when eviction is combined with lazy-free and
maxmemory-eviction-tenacity is set to 100
* Fix a crash when a replica may attempt to set itself as its master
as a result of a manual failover
* Fix a bug where a cluster-enabled replica node may permanently set
its master's hostname to '?'
* Fix a crash when a Lua script returns a meta-table
Fixes for issues in previous releases of Redis 7.0
--------------------------------------------------
* Fix redis-cli to do DNS lookup before sending CLUSTER MEET
* Fix crash when a key is lazy expired during cluster key migration
* Fix AOF rewrite to fsync the old AOF file when a new one is created
* Fix some crashes involving a list containing entries larger than 1GB
* Correctly handle scripts with a non-read-only shebang on a cluster replica
* Fix memory leak when unloading a module
* Fix bug with scripts ignoring client tracking NOLOOP
* Fix client-side tracking breaking protocol when FLUSHDB / FLUSHALL /
SWAPDB is used inside MULTI-EXEC
* Fix ACL: BITFIELD with GET and also SET / INCRBY can be executed
with read-only key permission
* Fix missing sections for INFO ALL when also requesting a module info section
========================================
Redis 7.0.4 Released Monday Jul 18 12:00:00 IST 2022
========================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream
key in a specific state may result with heap overflow, and potentially
remote code execution. The problem affects Redis versions 7.0.0 or newer.
========================================
Redis 7.0.3 Released Monday Jul 11 12:00:00 IST 2022
========================================
Upgrade urgency: MODERATE, specifically if you're using a previous release of
Redis 7.0, contains fixes for bugs in previous 7.0 releases.
Performance and resource utilization improvements
========================
* Optimize zset conversion on large ZRANGESTORE
* Optimize the performance of sending PING on large clusters
* Allow for faster restart of Redis in cluster mode
INFO fields and introspection changes
==================
* Add missing sharded pubsub keychannel count to CLIENT LIST
* Add missing pubsubshard_channels field in INFO STATS
Module API changes
=========
* Add RM_StringToULongLong and RM_CreateStringFromULongLong
* Add RM_SetClientNameById and RM_GetClientNameById
Changes in CLI tools
==========
* Add missing cluster-port support to redis-cli --cluster
Other General Improvements
=============
* Account sharded pubsub channels memory consumption
* Allow ECHO in loading and stale modes
* Cluster: Throw -TRYAGAIN instead of -ASK on migrating nodes for multi-key
commands when the node only has some of the keys
Bug Fixes
====
* TLS: Notify clients on connection shutdown
* Fsync directory while persisting AOF manifest, RDB file, and config file
* Script that made modification will not break with unexpected NOREPLICAS error
* Cluster: Fix a bug where nodes may not acknowledge a CLUSTER FAILOVER TAKEOVER
after a replica reboots
* Cluster: Fix crash during handshake and cluster shards call
Fixes for issues in previous releases of Redis 7.0
--------------------------------------------------
* TLS: Fix issues with large replies
* Correctly report the startup warning for vm.overcommit_memory
* redis-server command line allow passing config name and value in the
same argument
* Support --save command line argument with no value for backwards compatibility
* Fix CLUSTER RESET command regression requiring an argument
========================================
Redis 7.0.2 Released Sunday Jun 12 12:00:00 IST 2022
========================================
Upgrade urgency: MODERATE, specifically if you're using a previous release of
Redis 7.0, contains fixes for bugs in previous 7.0 releases.
Bug Fixes
====
* Fixed SET and BITFIELD commands being wrongly marked movablekeys
Regression in 7.0 possibly resulting in excessive roundtrip from
cluster clients.
* Fix crash when /proc/sys/vm/overcommit_memory is inaccessible
Regression in 7.0.1 resulting in crash on startup on some configurations.
========================================
Redis 7.0.1 Released Wed Jun 8 12:00:00 IST 2022
========================================
Upgrade urgency: MODERATE, specifically if you're using a previous release of
Redis 7.0, contains some behavior changes for new 7.0 features and important
fixes for bugs in previous 7.0 releases.
Improvements
======
* Add warning for suspected slow system clocksource setting
Add --check-system command line option.
* Allow read-only scripts (*_RO commands, and ones with `no-writes` flag)
during CLIENT PAUSE WRITE
* Add `readonly` flag in COMMAND command for EVAL_RO, EVALSHA_RO and FCALL_RO
* redis-server command line arguments now accept one string with spaces
for multi-arg configs
Potentially Breaking Changes
==============
* Omitting a config option value in command line argument no longer works
* Hide the `may_replicate` flag from the COMMAND command response
Potentially Breaking Changes for new Redis 7.0 features
-------------------------------------------------------
* Protocol: Sharded pubsub publish emits `smessage` instead of `message`
* CLUSTER SHARDS returns slots as RESP integers, not strings
* Block PFCOUNT and PUBLISH in read-only scripts (*_RO commands, and no-writes)
* Scripts that declare the `no-writes` flag are implicitly `allow-oom` too
Changes in CLI tools
==========
* redis-cli --bigkeys, --memkeys, --hotkeys, --scan. Finish nicely after Ctrl+C
Platform / toolchain support related improvements
========================
* Support tcp-keepalive config interval on MacOs
* Support RSS metrics on Haiku OS
INFO fields and introspection changes
==================
* Add isolated network metrics for replication.
Module API changes
=========
* Add two more new checks to RM_Call script mode
* Add new RM_Call flag to let Redis automatically refuse `deny-oom` commands
* Add module API RM_MallocUsableSize
* Add missing REDISMODULE_NOTIFY_NEW
* Fix cursor type in RedisModuleScanCursor to handle more than 2^31 elements
* Fix RM_Yield bugs and RM_Call("EVAL") OOM check bug
* Fix bugs in enum configs with overlapping bit flags
Bug Fixes
====
* FLUSHALL correctly resets rdb_changes_since_last_save INFO field
* FLUSHDB is now propagated to replicas / AOF, even if the db is empty
* Replica fail and retry the PSYNC if the master is unresponsive
* Fix ZRANGESTORE crash when zset_max_listpack_entries is 0
Fixes for issues in previous releases of Redis 7.0
--------------------------------------------------
* CONFIG REWRITE could cause a config change to be dropped for aliased configs
* CONFIG REWRITE would omit rename-command and include lines
NOTE: Affected users who used Redis 7.0.0 to rewrite their configuration file
should review and fix the file.
* Fix broken protocol after MISCONF (persistence) error
* Fix --save command line regression
* Fix possible regression around TLS config changes. re-load files even if the
file name didn't change.
* Re-add SENTINEL SLAVES command, missing in redis 7.0
* BZMPOP gets unblocked by non-key args and returns them
* Fix possible memory leak in XADD and XTRIM
========================================
Redis 7.0.0 GA Released Wed Apr 27 12:00:00 IST 2022
========================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script
can cause NULL pointer dereference which will result with a crash of the
redis-server process. This issue affects all versions of Redis.
[reported by Aviv Yahav].
* (CVE-2022-24735) By exploiting weaknesses in the Lua script execution
environment, an attacker with access to Redis can inject Lua code that will
execute with the (potentially higher) privileges of another Redis user.
[reported by Aviv Yahav].
New Features
======
* Keyspace event for new keys
Command replies that have been extended
---------------------------------------
* COMMAND DOCS shows deprecated_since field in command args
* COMMAND DOCS shows module name where applicable
Potentially Breaking Changes
==============
* Replicas panic when they fail writing persistence
* Prevent cross slot operations in functions and scripts with shebang
* Rephrased some error responses about invalid commands or args
* Lua scripts do not have access to the print() function
Performance and resource utilization improvements
========================
* Speed optimization in streams
* Speed optimization in command execution pipeline
* Speed optimization in listpack encoded sorted
* Speed optimization in latency tracking at INFO (relevant for 7.0 RCs)
* Speed optimization when there are many replicas (relevant for 7.0 RCs)
New configuration options
============
* Allow ignoring disk persistence errors on replicas
* Allow abort with panic when replica fails to execute a command sent
by the master
* Allow configuring shutdown flags of SIGTERM and SIGINT
* Allow attaching an operating system-specific identifier to Redis sockets
Module API changes
=========
* Add argument specifying ACL reason for module log entry
Breaking API compatibility with 7.0 RCs
* Add the deprecated_since field in command args of COMMAND DOCS
Breaking API/ABI compatibility with 7.0 RCs
* Add module API flag for using enum configs as bit flags
* Add RM_PublishMessageShard
* Add RM_MallocSizeString, RM_MallocSizeDict
* Add RM_TryAlloc
Bug Fixes
====
* Replica report disk persistence errors in PING
* Fixes around rejecting commands on replicas and AOF when they must
be respected
* Durability fixes for appendfsync=always policy
Fixes for issues in previous release candidates of Redis 7.0
------------------------------------------------------------
* Fix possible crash on CONFIG REWRITE
* Fix regression not aborting transaction on errors
* Fix auto-aof-rewrite-percentage based AOFRW trigger after restart
* Fix bugs when AOF enabled after startup, in case of failure before
the first rewrite completes
* Fix RM_Yield module API bug processing future commands of the current client
To generate a diff of this commit:
cvs rdiff -u -r1.73 -r1.74 pkgsrc/databases/redis/Makefile
cvs rdiff -u -r1.66 -r1.67 pkgsrc/databases/redis/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/databases/redis/patches/patch-src_Makefile
Files: