guide | Redis 7.0.12 released with security fixes and bug fixes. |
Upgrade Urgency Security: See Security Fixes below.
security fixes
- (CVE-2022-24834) Executing a specially crafted Lua script in Redis could trigger a heap overflow in the cjson and cmsgpack libraries.
- Heap overflow, leading to heap corruption and possible remote code execution.
- Causes heap corruption and may lead to remote code execution. The problem exists in all versions of Redis. Only authenticated and authorized users are affected.
- (CVE-2023-36824) Extract key names from command and argument lists
- (CVE-2023-36824) Extracting key names from command and argument lists could trigger a heap overflow under certain circumstances, resulting in random heap memory reads, heap corruption, and possible remote code execution. In particular, use COMMAND GETKEYS* and key name validation in ACL rules.
bug fixes
- Re-enable downgrade rewash when forking child processes (#12276)
- Fixed possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with
- Improve fairness issues in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP and eviction (#12276)
- Fix WAIT taking effect after blocked module commands are unblocked (#12220)
- Avoid unnecessary full sync after master restart in rare cases (#12088)