Skip to content

Redis Stack 7.2.0-v14
Compare
Choose a tag to compare
@ViktarStarastsenka ViktarStarastsenka released this 08 Jan 10:08
· 1 commit to 7.2 since this release
v7.2.0-v14
fb7a26b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

This is a maintenance release for Redis Stack Server 7.2.0.

Update urgency: SECURITY: there are security fixes in the release.

Docker

Headlines:

This version introduces security updates for the Redis server, Redis Query Engine, time series, and probabilistic data structures, addressing vulnerabilities related to potential out-of-bound writes.

Additionally, it includes improvements to the Redis Query Engine and bug fixes for the Redis Query Engine, JSON, and probabilistic data structures, ensuring enhanced stability and reliability.

This maintenance release also includes the latest version of Redis Insight.

Details:

Security and privacy

  • Redis:

    • (CVE-2024-46981) Lua script commands may lead to remote code execution
    • (CVE-2024-51741) Denial-of-service due to malformed ACL selectors

  • Redis Query Engine:

    • #5457 (CVE-2024-51737) Query: potential out-of-bounds write (MOD-8486)

  • Time series

    • #1673 (CVE-2024-51480) TS.QUERYINDEX, TS.MGET, TS.MRANGE, TS.MREVRANGE - potential integer overflow leading to an out-of-bounds write (MOD-7548)

  • Probabilistic data structures:

    • ​​#844 (CVE-2024-53993) CMS: potential out-of-bounds write (MOD-6970)

Improvements

  • Redis Query Engine:
    • #5260 Optimising index consumed memory with the creation only upon write operations (MOD-8125)

Bug Fixes

  • Redis:

    • #13380 Possible crash due to OOM panic on invalid command
    • #13338 Streams: XINFO lag field is wrong when tombstone is after the last_id of the consumer group
    • #13473 Streams: XTRIM does not update the maximal tombstone, leading to an incorrect lag
    • #13311 Cluster: crash due to unblocking client during slot migration
    • #13443 Cluster: crash when loading cluster config
    • #13422 Cluster: CLUSTER SHARDS returns empty array
    • #13465 Cluster: incompatibility with older node versions

  • Redis Query Engine:

    • #5299 Prefix/Infix/Suffix queries longer than 1024 chars could cause a crash (MOD-7882)
    • #5303 Expired keys while background indexing could cause cross slot error when using replicaof (MOD-7949)
    • #5280 FT.CURSOR READ retrieving deleted TAG fields cause a crash (MOD-8011)
    • #5427 FT.AGGREGATE on numeric fields lead to failed_calls count increase on clustered DBs (MOD-8058)
    • #5242 Memory count on bytes_collected by the index sanitiser with missing values (MOD-8097, MOD-8114)
    • #5167 Cursors from queries that timed out weren't depleted causing exhaustion number of cursors available(MOD-8009)
    • #4941 Adjusting the module configuration to avoid routing overload on the first shard in a clustered database (MOD-7505)
    • #4950 FT.PROFILE on AGGREGATE numeric queries could cause a crash due to reusing internal CURSOR in large range of numeric values (MOD-7454)

  • JSON

    • #1313 (Redis Enterprise A-A only) Potential crash on JSON.DEBUG MEMORY (MOD-8412)
    • #1225 Crash on SET commands with recursive overlapping paths (MOD-7279)
    • HDT#261 (Redis Enterprise A-A only) Crash when a JSON contains an EOF character (MOD-7464)

  • Probabilistic data structures:

    • #844 CMS.MERGE crashes or hangs on negative number of keys (MOD-6964)
    • #720 BF crashes on high error rate (MOD-6268)
    • #773 CMS.MERGE: reply with an error on overflow and underflow (MOD-6962)

  • Redis version:

Module versions

Recommended Client Libraries

Compatible with Redis Insight. The docker image redis/redis-stack for this version is bundled with Redis Insight 2.64.1.

Note: version numbers follow the following pattern:
x.y.z-b

  • x.y Redis Major version
  • z increases with even numbers as a module x.y version increases.
  • b denotes a patch to Redis or a module (any z of Redis or Modules). b will consist of a v + numeric value.

Downloads

Assets 2
Loading