diff options
| author | Oran Agra <oran@redislabs.com> | 2021-05-03 12:08:20 +0300 |
|---|---|---|
| committer | Oran Agra <oran@redislabs.com> | 2021-05-03 22:57:00 +0300 |
| commit | e90e5640e7840860bc6726a08135ea86687bbd58 (patch) | |
| tree | e09259e0d2a00e1fc8ece541a85856b442ca839d | |
| parent | 2df6695f2bacb6a2665d0171164d4aa6e67f6e88 (diff) | |
| download | redis-6.2.3.tar.gz | |
Redis 6.2.36.2.3
| -rw-r--r-- | 00-RELEASENOTES | 34 | ||||
| -rw-r--r-- | src/version.h | 4 |
2 files changed, 36 insertions, 2 deletions
diff --git a/00-RELEASENOTES b/00-RELEASENOTES index 8a1405e41..4f6cb9978 100644 --- a/00-RELEASENOTES +++ b/00-RELEASENOTES @@ -12,6 +12,40 @@ SECURITY: There are security fixes in the release. -------------------------------------------------------------------------------- ================================================================================ +Redis 6.2.3 Released Mon May 3 19:00:00 IST 2021 +================================================================================ + +Upgrade urgency: SECURITY, Contains fixes to security issues that affect +authenticated client connections. LOW otherwise. + +Integer overflow in STRALGO LCS command (CVE-2021-29477): +An integer overflow bug in Redis version 6.0 or newer could be exploited using +the STRALGO LCS command to corrupt the heap and potentially result in remote +code execution. The integer overflow bug exists in all versions of Redis +starting with 6.0. + +Integer overflow in COPY command for large intsets (CVE-2021-29478): +An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and +potentially result with remote code execution. The vulnerability involves +changing the default set-max-intset-entries configuration value, creating a +large set key that consists of integer values and using the COPY command to +duplicate it. The integer overflow bug exists in all versions of Redis starting +with 2.6, where it could result with a corrupted RDB or DUMP payload, but not +exploited through COPY (which did not exist before 6.2). + +Bug fixes that are only applicable to previous releases of Redis 6.2: +* Fix memory leak in moduleDefragGlobals (#8853) +* Fix memory leak when doing lazy freeing client tracking table (#8822) +* Block abusive replicas from sending command that could assert and crash redis (#8868) + +Other bug fixes: +* Use a monotonic clock to check for Lua script timeout (#8812) +* redis-cli: Do not use unix socket when we got redirected in cluster mode (#8870) + +Modules: +* Fix RM_GetClusterNodeInfo() to correctly populate master id (#8846) + +================================================================================ Redis 6.2.2 Released Mon April 19 19:00:00 IST 2021 ================================================================================ diff --git a/src/version.h b/src/version.h index 3c5dc02c5..b87f2b9c3 100644 --- a/src/version.h +++ b/src/version.h @@ -1,2 +1,2 @@ -#define REDIS_VERSION "6.2.2" -#define REDIS_VERSION_NUM 0x00060202 +#define REDIS_VERSION "6.2.3" +#define REDIS_VERSION_NUM 0x00060203 |