UNCLASSIFIED - NO CUI

Skip to content

Update dependency redis/redis to v6.2.6

renovate requested to merge renovate/redis-redis-6.2.x into development

This MR contains the following updates:

Package Type Update Change
redis/redis ironbank-github patch 6.2.5 -> 6.2.6
redis/redis patch 6.2.5 -> 6.2.6

Release Notes

redis/redis

v6.2.6

Compare Source

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

  • (CVE-2021-41099) Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured to a non-default, very large value [reported by yiyuaner].
  • (CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on some older and less common platforms [reported by Microsoft Vulnerability Research].
  • (CVE-2021-32687) Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value [reported by Pawel Wieczorkiewicz, AWS].
  • (CVE-2021-32675) Denial Of Service when processing RESP request payloads with a large number of elements on many connections.
  • (CVE-2021-32672) Random heap reading issue with Lua Debugger [reported by Meir Shpilraien].
  • (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value [reported by sundb].
  • (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for proto-max-bulk-len and client-query-buffer-limit [reported by sundb].
  • (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer overflow [reported by Meir Shpilraien].

Bug fixes that involve behavior changes:

  • GEO* STORE with empty source key deletes the destination key and return 0 (#​9271) Previously it would have returned an empty array like the non-STORE variant.
  • PUBSUB NUMPAT replies with number of patterns rather than number of subscriptions (#​9209) This actually changed in 6.2.0 but was overlooked and omitted from the release notes.

Bug fixes that are only applicable to previous releases of Redis 6.2:

  • Fix CLIENT PAUSE, used an old timeout from previous PAUSE (#​9477)
  • Fix CLIENT PAUSE in a replica would mess the replication offset (#​9448)
  • Add some missing error statistics in INFO errorstats (#​9328)

Other bug fixes:

  • Fix incorrect reply of COMMAND command key positions for MIGRATE command (#​9455)
  • Fix appendfsync to always guarantee fsync before reply, on MacOS and FreeBSD (kqueue) (#​9416)
  • Fix the wrong mis-detection of sync_file_range system call, affecting performance (#​9371)

CLI tools:

  • When redis-cli received ASK response, it didn't handle it (#​8930)

Improvements:

  • Add latency monitor sample when key is deleted via lazy expire (#​9317)
  • Sanitize corrupt payload improvements (#​9321, #​9399)
  • Delete empty keys when loading RDB file or handling a RESTORE command (#​9297, #​9349)

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled due to failing status checks.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.

  • If you want to rebase/retry this MR, check this box.

This MR has been generated by Renovate Bot.

Edited by renovate

Merge request reports

UNCLASSIFIED - NO CUI