UNCLASSIFIED - NO CUI

Skip to content

Update dependency redis/redis to v7

Ghost User requested to merge renovate/redis-redis-7.x into development

This MR contains the following updates:

Package Type Update Change
redis/redis major 6.2.14-ubi9 -> 7.2.3
redis/redis major 6.2.14 -> 7.2.3
redis/redis ironbank-github major 6.2.14 -> 7.2.3

Release Notes

redis/redis (redis/redis)

v7.2.3

Compare Source

Upgrade urgency: HIGH, Fixes critical bugs affecting most users.

Bug fixes

  • Fix file descriptor leak preventing deleted files from freeing disk space on replicas (#​12693)
  • Fix a possible crash after cluster node removal (#​12702)

v7.2.2

Compare Source

Upgrade urgency SECURITY: See security fixes below.

Security fixes

  • (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup.

Platform / toolchain support related changes

  • Fix compilation error on MacOS 13 (#​12611)

Bug fixes

  • WAITAOF could timeout in the absence of write traffic in case a new AOF is created and an AOF rewrite can't immediately start (#​12620)

Redis cluster

  • Fix crash when running rebalance command in a mixed cluster of 7.0 and 7.2 nodes (#​12604)
  • Fix the return type of the slot number in cluster shards to integer, which makes it consistent with past behavior (#​12561)
  • Fix CLUSTER commands are called from modules or scripts to return TLS info appropriately (#​12569)

Changes in CLI tools

  • redis-cli, fix crash on reconnect when in SUBSCRIBE mode (#​12571)

Module API changes

  • Fix overflow calculation for next timer event (#​12474)

v7.2.1

Compare Source

Upgrade urgency SECURITY: See security fixes below.

Security Fixes

  • (CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration.

Bug Fixes

  • Fix crashes when joining a node to an existing 7.0 Redis Cluster (#​12538)
  • Correct request_policy and response_policy command tips on for some admin / configuration commands (#​12545, #​12530)

v7.2.0

Compare Source

Upgrade urgency LOW: This is the first stable Release for Redis 7.2.

Bug Fixes

  • redis-cli in cluster mode handles unknown-endpoint (#​12273)
  • Update request / response policy hints for a few commands (#​12417)
  • Ensure that the function load timeout is disabled during loading from RDB/AOF and on replicas. (#​12451)
  • Fix false success and a memory leak for ACL selector with bad parenthesis combination (#​12452)
  • Fix the assertion when script timeout occurs after it signaled a blocked client (#​12459)

Fixes for issues in previous releases of Redis 7.2

  • Update MONITOR client's memory correctly for INFO and client-eviction (#​12420)
  • The response of cluster nodes was unnecessarily adding an extra comma when no hostname was present. (#​12411)

v7.0.14

Compare Source

Upgrade urgency SECURITY: See security fixes below.

Security fixes

  • (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup.

v7.0.13

Compare Source

Upgrade urgency SECURITY: See security fixes below.

Security Fixes

  • (CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and as a result may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration.

Bug Fixes

  • Cluster: fix a race condition where a slot migration may revert on a subsequent failover or node joining (#​12344)
  • Ensure that the function load timeout is disabled during loading from RDB/AOF and on replicas. (#​12451)
  • Fix the assertion when script timeout occurs after it signaled a blocked client (#​12459)

v7.0.12

Compare Source

Upgrade urgency SECURITY: See security fixes below.

Security Fixes:

  • (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users.
  • (CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules.

Bug Fixes

  • Re-enable downscale rehashing while there is a fork child (#​12276)
  • Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count> (#​12276)
  • Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#​12276)
  • Fix WAIT to be effective after a blocked module command being unblocked (#​12220)
  • Avoid unnecessary full sync after master restart in a rare case (#​12088)

v7.0.11

Compare Source

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

  • (CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access

Bug Fixes

  • Add a missing fsync of AOF file in rare cases (#​11973)
  • Disconnect pub-sub subscribers when revoking allchannels permission (#​11992)

Platform / toolchain support related improvements

  • Fix a compiler fortification induced crash when used with link time optimizations (#​11982)

v7.0.10

Compare Source

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

  • (CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service

Bug Fixes

  • Large blocks of replica client output buffer may lead to PSYNC loops and unnecessary memory usage (#​11666)
  • Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#​11875)
  • Trim excessive memory usage in stream nodes when exceeding stream-node-max-bytes (#​11885)
  • Fix module RM_Call commands failing with OOM when maxmemory is changed to zero (#​11319)

v7.0.9

Compare Source

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

  • (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process.
  • (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time.

Bug Fixes

  • Fix a crash when reaching the maximum invalidations limit of client-side tracking (#​11814)
  • Fix a crash when SPUBLISH is used after passing the cluster-link-sendbuf-limit (#​11752)
  • Fix possible memory corruption in FLUSHALL when a client watches more than one key (#​11854)
  • Fix cluster inbound link keepalive time (#​11785)
  • Flush propagation list in active-expire of writable replicas to fix an assertion (#​11615)
  • Avoid propagating DEL of lazy expire from SCAN and RANDOMKEY as MULTI-EXEC (#​11788)

Performance and resource utilization improvements

  • Avoid realloc to reduce size of strings when it is unneeded (#​11766)
  • Improve CLUSTER SLOTS reply efficiency for non-continuous slots (#​11745)

v7.0.8

Compare Source

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

  • (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic
  • (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service

Bug Fixes

  • Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD, and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#​11676)
  • Make sure that fork child doesn't do incremental rehashing (#​11692)
  • Fix a bug where blocking commands with a sub-second timeout would block forever (#​11688)
  • Fix sentinel issue if replica changes IP (#​11590)

v7.0.7

Compare Source

Upgrade urgency: MODERATE, Contains fix for a regression in Geo commands.

Bug Fixes

  • Fix regression from Redis 7.0.6 in distance replies of Geo commands (#​11631)

v7.0.6

Compare Source

Upgrade urgency: MODERATE, Contains fixes for a few non-critical or unlikely bugs, and some dramatic optimizations to Geo, EVAL, and Sorted sets commands.

Potentially Breaking Bug Fixes for new Redis 7.0 features

  • RM_ResetDataset module API should not clear the functions (#​11268)
  • RM_Call module API used with the "C" flag to run scripts, would now cause the commands in the script to check ACL with the designated user (#​10966)

Performance and resource utilization improvements

  • Geo commands speedups (#​11535, #​11522, #​11552, #​11579)
  • Fix EVAL command performance regression from Redis 7.0 (#​11521, #​11541)
  • Reduce EXPIRE commands performance regression from Redis 7.0 (#​11602)
  • Optimize commands returning double values, mainly affecting zset commands (#​11093)
  • Optimize Lua parsing of some command responses (#​11556)
  • Optimize client memory usage tracking operation while client eviction is disabled (#​11348)

Platform / toolchain support related improvements

Module API changes

  • RM_SetContextUser, RM_SetModuleUserACLString, RM_GetModuleUserACLString (#​10966)
  • Fix crash in CLIENT_CHANGE event, when the selected database is not 0 (#​11500)

Changes in CLI tools

  • redis-benchmark avoid aborting on NOPERM from CONFIG GET (#​11096)

Bug Fixes

  • Avoid hang of diskless replication fork child when parent crashes (#​11463)
  • Fix crash with module API of list iterator and RM_ListDelete (#​11383)
  • Fix TLS error handling to avoid connection drops on timeouts (#​11563)
  • Fix runtime changes to cluster-announce-*-port to take effect on the local node too (#​10745)
  • Fix sentinel function that compares hostnames if failed resolve (#​11419)
  • Fix MIGRATE with AUTH set to "keys" is getting wrong key names leading to MOVED or ACL errors (#​11253)

Fixes for issues in previous releases of Redis 7.0

  • Fix command line startup --sentinel problem (#​11591)
  • Fis missing FCALL commands in monitor (#​11510)
  • Fix CLUSTER SHARDS showing empty hostname (#​11297)
  • Replica that asks for rdb-only could have missed the EOF and hang (#​11296)

v7.0.5

Compare Source

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

  • (CVE-2022-35951) Executing a XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer [reported by Xion (SeungHyun Lee) of KAIST GoN].

Module API changes

  • Fix RM_Call execution of scripts when used with M/W/S flags to properly handle script flags (#​11159)
  • Fix RM_SetAbsExpire and RM_GetAbsExpire API registration (#​11025, #​8564)

Bug Fixes

  • Fix a hang when eviction is combined with lazy-free and maxmemory-eviction-tenacity is set to 100 (#​11237)
  • Fix a crash when a replica may attempt to set itself as its master as a result of a manual failover (#​11263)
  • Fix a bug where a cluster-enabled replica node may permanently set its master's hostname to '?' (#​10696)
  • Fix a crash when a Lua script returns a meta-table (#​11032)

Fixes for issues in previous releases of Redis 7.0

  • Fix redis-cli to do DNS lookup before sending CLUSTER MEET (#​11151)
  • Fix crash when a key is lazy expired during cluster key migration (#​11176)
  • Fix AOF rewrite to fsync the old AOF file when a new one is created (#​11004)
  • Fix some crashes involving a list containing entries larger than 1GB (#​11242)
  • Correctly handle scripts with a non-read-only shebang on a cluster replica (#​11223)
  • Fix memory leak when unloading a module (#​11147)
  • Fix bug with scripts ignoring client tracking NOLOOP (#​11052)
  • Fix client-side tracking breaking protocol when FLUSHDB / FLUSHALL / SWAPDB is used inside MULTI-EXEC (#​11038)
  • Fix ACL: BITFIELD with GET and also SET / INCRBY can be executed with read-only key permission (#​11086)
  • Fix missing sections for INFO ALL when also requesting a module info section (#​11291)

v7.0.4

Compare Source

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

  • (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream key in a specific state may result with heap overflow, and potentially remote code execution. The problem affects Redis versions 7.0.0 or newer.

v7.0.3

Compare Source

Upgrade urgency: MODERATE, specifically if you're using a previous release of Redis 7.0, contains fixes for bugs in previous 7.0 releases.

Performance and resource utilization improvements

  • Optimize zset conversion on large ZRANGESTORE (#​10789)
  • Optimize the performance of sending PING on large clusters (#​10624)
  • Allow for faster restart of Redis in cluster mode (#​10912)

INFO fields and introspection changes

  • Add missing sharded pubsub keychannel count to CLIENT LIST (#​10895)
  • Add missing pubsubshard_channels field in INFO STATS (#​10929)

Module API changes

  • Add RM_StringToULongLong and RM_CreateStringFromULongLong (#​10889)
  • Add RM_SetClientNameById and RM_GetClientNameById (#​10839)

Changes in CLI tools

  • Add missing cluster-port support to redis-cli --cluster (#​10344)

Other General Improvements

  • Account sharded pubsub channels memory consumption (#​10925)
  • Allow ECHO in loading and stale modes (#​10853)
  • Cluster: Throw -TRYAGAIN instead of -ASK on migrating nodes for multi-key commands when the node only has some of the keys (#​9526)

Bug Fixes

  • TLS: Notify clients on connection shutdown (#​10931)
  • Fsync directory while persisting AOF manifest, RDB file, and config file (#​10737)
  • Script that made modification will not break with unexpected NOREPLICAS error (#​10855)
  • Cluster: Fix a bug where nodes may not acknowledge a CLUSTER FAILOVER TAKEOVER after a replica reboots (#​10798)
  • Cluster: Fix crash during handshake and cluster shards call (#​10942)

Fixes for issues in previous releases of Redis 7.0

  • TLS: Fix issues with large replies (#​10909)
  • Correctly report the startup warning for vm.overcommit_memory (#​10841)
  • redis-server command line allow passing config name and value in the same argument (#​10866)
  • Support --save command line argument with no value for backwards compatibility (#​10866)
  • Fix CLUSTER RESET command regression requiring an argument (#​10898)

v7.0.2

Compare Source

Upgrade urgency: MODERATE, specifically if you're using a previous release of Redis 7.0, contains fixes for bugs in previous 7.0 releases.

Bug Fixes

  • Fixed SET and BITFIELD commands being wrongly marked movablekeys (#​10837) Regression in 7.0 possibly resulting in excessive roundtrip from cluster clients.
  • Fix crash when /proc/sys/vm/overcommit_memory is inaccessible (#​10848) Regression in 7.0.1 resulting in crash on startup on some configurations.

v7.0.1

Compare Source

Upgrade urgency: MODERATE, specifically if you're using a previous release of Redis 7.0, contains some behavior changes for new 7.0 features and important fixes for bugs in previous 7.0 releases.

Improvements

  • Add warning for suspected slow system clocksource setting Add --check-system command line option. (#​10636)
  • Allow read-only scripts (*_RO commands, and ones with no-writes flag) during CLIENT PAUSE WRITE (#​10744)
  • Add readonly flag in COMMAND command for EVAL_RO, EVALSHA_RO and FCALL_RO (#​10728)
  • redis-server command line arguments now accept one string with spaces for multi-arg configs (#​10660)

Potentially Breaking Changes

  • Omitting a config option value in command line argument no longer works (#​10660)
  • Hide the may_replicate flag from the COMMAND command response (#​10744)

Potentially Breaking Changes for new Redis 7.0 features

  • Protocol: Sharded pubsub publish emits smessage instead of message (#​10792)
  • CLUSTER SHARDS returns slots as RESP integers, not strings (#​10683)
  • Block PFCOUNT and PUBLISH in read-only scripts (*_RO commands, and no-writes) (#​10744)
  • Scripts that declare the no-writes flag are implicitly allow-oom too (#​10699)

Changes in CLI tools

  • redis-cli --bigkeys, --memkeys, --hotkeys, --scan. Finish nicely after Ctrl+C (#​10736)

Platform / toolchain support related improvements

  • Support tcp-keepalive config interval on MacOs (#​10667)
  • Support RSS metrics on Haiku OS (#​10687)

INFO fields and introspection changes

Module API changes

  • Add two more new checks to RM_Call script mode (#​10786)
  • Add new RM_Call flag to let Redis automatically refuse deny-oom commands (#​10786)
  • Add module API RM_MallocUsableSize (#​10795)
  • Add missing REDISMODULE_NOTIFY_NEW (#​10688)
  • Fix cursor type in RedisModuleScanCursor to handle more than 2^31 elements (#​10698)
  • Fix RM_Yield bugs and RM_Call("EVAL") OOM check bug (#​10786)
  • Fix bugs in enum configs with overlapping bit flags (#​10661)

Bug Fixes

  • FLUSHALL correctly resets rdb_changes_since_last_save INFO field (#​10691)
  • FLUSHDB is now propagated to replicas / AOF, even if the db is empty (#​10691)
  • Replica fail and retry the PSYNC if the master is unresponsive (#​10726)
  • Fix ZRANGESTORE crash when zset_max_listpack_entries is 0 (#​10767)

Fixes for issues in previous release candidates of Redis 7.0

  • CONFIG REWRITE could cause a config change to be dropped for aliased configs (#​10811)
  • CONFIG REWRITE would omit rename-command and include lines (#​10761) NOTE: Affected users who used Redis 7.0.0 to rewrite their configuration file should review and fix the file.
  • Fix broken protocol after MISCONF (persistence) error (#​10786)
  • Fix --save command line regression (#​10690)
  • Fix possible regression around TLS config changes. re-load files even if the file name didn't change. (#​10713)
  • Re-add SENTINEL SLAVES command, missing in redis 7.0 (#​10723)
  • BZMPOP gets unblocked by non-key args and returns them (#​10764)
  • Fix possible memory leak in XADD and XTRIM (#​10753)

v7.0.0

Compare Source

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

  • (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. This issue affects all versions of Redis. [reported by Aviv Yahav].
  • (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. [reported by Aviv Yahav].

New Features

Command replies that have been extended

  • COMMAND DOCS shows deprecated_since field in command args (#​10545)
  • COMMAND DOCS shows module name where applicable (#​10544)

Potentially Breaking Changes

  • Replicas panic when they fail writing persistence (#​10504)
  • Prevent cross slot operations in functions and scripts with shebang (#​10615)
  • Rephrased some error responses about invalid commands or args (#​10612)
  • Lua scripts do not have access to the print() function (#​10651)

Performance and resource utilization improvements

  • Speed optimization in streams (#​10574)
  • Speed optimization in command execution pipeline (#​10502)
  • Speed optimization in listpack encoded sorted (#​10486)
  • Speed optimization in latency tracking at INFO (relevant for 7.0 RCs) (#​10606)
  • Speed optimization when there are many replicas (relevant for 7.0 RCs) (#​10588)

New configuration options

  • Allow ignoring disk persistence errors on replicas (#​10504)
  • Allow abort with panic when replica fails to execute a command sent by the master (#​10504)
  • Allow configuring shutdown flags of SIGTERM and SIGINT (#​10594)
  • Allow attaching an operating system-specific identifier to Redis sockets (#​10349)

Module API changes

  • Add argument specifying ACL reason for module log entry (#​10559) Breaking API compatibility with 7.0 RCs
  • Add the deprecated_since field in command args of COMMAND DOCS (#​10545) Breaking API/ABI compatibility with 7.0 RCs
  • Add module API flag for using enum configs as bit flags (#​10643)
  • Add RM_PublishMessageShard (#​10543)
  • Add RM_MallocSizeString, RM_MallocSizeDict (#​10542)
  • Add RM_TryAlloc (#​10541)

Bug Fixes

  • Replica report disk persistence errors in PING (#​10603)
  • Fixes around rejecting commands on replicas and AOF when they must be respected (#​10603)
  • Durability fixes for appendfsync=always policy (#​9678)

Fixes for issues in previous release candidates of Redis 7.0

  • Fix possible crash on CONFIG REWRITE (#​10598)
  • Fix regression not aborting transaction on errors (#​10612)
  • Fix auto-aof-rewrite-percentage based AOFRW trigger after restart (#​10550)
  • Fix bugs when AOF enabled after startup, in case of failure before the first rewrite completes (#​10616)
  • Fix RM_Yield module API bug processing future commands of the current client (#​10573)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.


  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports