Redis Server Security und Bugfix Release 7.0.0

redis Logo

Die Open-Source In-Memory-Datebank, Redis, ist ein hochperformanter Object-Cache, der u.a. Webseiten beschleunigen kann. Nun wurde die neue Version 7.0.0 veröffentilcht, die u.a. 2 Security Fixe beinhaltet, ein neues Feature und einige Bugfixes. Zudem wurden Verbesserungen durchgeführt, die die Geschwindigkeit des Caches erhöhen sollen.

Redis 7.0.0 Release Notes

Security Fixes:

  • (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script
    can cause NULL pointer dereference which will result with a crash of the
    redis-server process. This issue affects all versions of Redis.
    [reported by Aviv Yahav].
  • (CVE-2022-24735) By exploiting weaknesses in the Lua script execution
    environment, an attacker with access to Redis can inject Lua code that will
    execute with the (potentially higher) privileges of another Redis user.
    [reported by Aviv Yahav].

New Features

  • Keyspace event for new keys (#10512)

Command replies that have been extended

  • COMMAND DOCS shows deprecated_since field in command args (#10545)
  • COMMAND DOCS shows module name where applicable (#10544)

Potentially Breaking Changes

  • Replicas panic when they fail writing persistence (#10504)
  • Prevent cross slot operations in functions and scripts with shebang (#10615)
  • Rephrased some error responses about invalid commands or args (#10612)
  • Lua scripts do not have access to the print() function (#10651)

Performance and resource utilization improvements

  • Speed optimization in streams (#10574)
  • Speed optimization in command execution pipeline (#10502)
  • Speed optimization in listpack encoded sorted (#10486)
  • Speed optimization in latency tracking at INFO (relevant for 7.0 RCs) (#10606)
  • Speed optimization when there are many replicas (relevant for 7.0 RCs) (#10588)

New configuration options

  • Allow ignoring disk persistence errors on replicas (#10504)
  • Allow abort with panic when replica fails to execute a command sent by the master (#10504)
  • Allow configuring shutdown flags of SIGTERM and SIGINT (#10594)
  • Allow attaching an operating system-specific identifier to Redis sockets (#10349)

Module API changes

  • Add argument specifying ACL reason for module log entry (#10559)
    Breaking API compatibility with 7.0 RCs
  • Add the deprecated_since field in command args of COMMAND DOCS (#10545)
    Breaking API/ABI compatibility with 7.0 RCs
  • Add module API flag for using enum configs as bit flags (#10643)
  • Add RM_PublishMessageShard (#10543)
  • Add RM_MallocSizeString, RM_MallocSizeDict (#10542)
  • Add RM_TryAlloc (#10541)

Bug Fixes

  • Replica report disk persistence errors in PING (#10603)
  • Fixes around rejecting commands on replicas and AOF when they must be respected (#10603)
  • Durability fixes for appendfsync=always policy (#9678)

Fixes for issues in previous release candidates of Redis 7.0

  • Fix possible crash on CONFIG REWRITE (#10598)
  • Fix regression not aborting transaction on errors (#10612)
  • Fix auto-aof-rewrite-percentage based AOFRW trigger after restart (#10550)
  • Fix bugs when AOF enabled after startup, in case of failure before the first rewrite completes (#10616)
  • Fix RM_Yield module API bug processing future commands of the current client (#10573)

Quelle: Release 7.0.0 · redis/redis · GitHub

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht.