From af12f8ec3cf13a10e4039547a81cf5f163937063 Mon Sep 17 00:00:00 2001 From: antirez Date: Tue, 31 Jan 2017 16:32:23 +0100 Subject: [PATCH] Redis 3.2.7. --- 00-RELEASENOTES | 95 +++++++++++++++++++++++++++++++++++++++++++++++++ src/version.h | 2 +- 2 files changed, 96 insertions(+), 1 deletion(-) diff --git a/00-RELEASENOTES b/00-RELEASENOTES index badc38ac..eeb6dd01 100644 --- a/00-RELEASENOTES +++ b/00-RELEASENOTES @@ -10,6 +10,101 @@ HIGH: There is a critical bug that may affect a subset of users. Upgrade! CRITICAL: There is a critical bug affecting MOST USERS. Upgrade ASAP. -------------------------------------------------------------------------------- +================================================================================ +Redis 3.2.7 Released Tue Jan 31 16:21:41 CET 2017 +================================================================================ + +Upgrade urgency HIGH: This release fixes important security and correctness + issues. It is especially important to upgrade for Redis + Cluster users and for users running Redis in their laptop + since a cross-scripting attack is fixed in this release. + +Main bugs fixes and improvements in this release: + +1. MIGRATE could incorrectly move keys between Redis Cluster nodes by turning + keys with an expire set into persisting keys. This bug was introduced with + the multiple-keys migration recently. It is now fixed. Only applies to + Redis Cluster users that use the resharding features of Redis Cluster. + +2. As Redis 4.0 beta and the unstable branch already did (for some months at + this point), Redis 3.2.7 also aliases the Host: and POST commands to QUIT + avoiding to process the remaining pipeline if there are pending commands. + This is a security protection against a "Cross Scripting" attack, that + usually involves trying to feed Redis with HTTP in order to execute commands. + Example: a developer is running a local copy of Redis for development + purposes. She also runs a web browser in the same computer. The web browser + could send an HTTP request to http://127.0.0.1:6379 in order to access the + Redis instance, since a specially crafted HTTP requesta may also be partially + valid Redis protocol. However if POST and Host: break the connection, this + problem should be avoided. IMPORTANT: It is important to realize that it + is not impossible that another way will be found to talk with a localhost + Redis using a Cross Protocol attack not involving sending POST or Host: so + this is only a layer of protection but not a definitive fix for this class + of issues. + +3. A ziplist bug that could cause data corruption, could crash the server and + MAY ALSO HAVE SECURITY IMPLICATIONS was fixed. The bug looks complex to + exploit, but attacks always get worse, never better (cit). The bug is very + very hard to catch in practice, it required manual analysis of the ziplist + code in order to be found. However it is also possible that rarely it + happened in the wild. Upgrading is required if you use LINSERT and other + in-the-middle list manipulation commands. + +4. We upgraded to Jemalloc 4.4.0 since the version we used to ship with Redis + was an early 4.0 release of Jemalloc. This version may have several + improvements including the ability to better reclaim/use the memory of + system. + +The following is the list of commits: + +antirez in commit 3876d98: + Ziplist: insertion bug under particular conditions fixed. + 1 file changed, 9 insertions(+), 1 deletion(-) + +antirez in commit 153f2f0: + Jemalloc updated to 4.4.0. + 150 files changed, 17271 insertions(+), 6356 deletions(-) + +miter in commit ca532c9: + Change switch statment to if statment + 1 file changed, 2 insertions(+), 4 deletions(-) + +oranagra in commit a735035: + fix rare assertion in DEBUG DIGEST + 1 file changed, 1 insertion(+), 1 deletion(-) + +Itamar Haber in commit b917e3f: + Verify pairs are provided after subcommands + 1 file changed, 1 insertion(+), 1 deletion(-) + +antirez in commit 1177cf6: + Avoid geo.c warning in initialization. + 1 file changed, 1 insertion(+), 1 deletion(-) + +antirez in commit 874804d: + Security: Cross Protocol Scripting protection. + 3 files changed, 27 insertions(+), 2 deletions(-) + +antirez in commit 273cd7f: + Ziplist: remove static from functions, they prevent good crash reports. + 1 file changed, 14 insertions(+), 14 deletions(-) + +Jan-Erik Rediger in commit 389b9f5: + Initialize help only in repl mode + 1 file changed, 5 insertions(+), 5 deletions(-) + +Yossi Gottlieb in commit 1370a88: + Fix redis-cli rare crash. + 1 file changed, 4 insertions(+) + +antirez in commit 68aab8e: + MIGRATE: Remove upfront ttl initialization. + 1 file changed, 3 insertions(+), 4 deletions(-) + +Jan-Erik Rediger in commit 788e892: + Reset the ttl for additional keys + 1 file changed, 1 insertion(+) + ================================================================================ Redis 3.2.6 Released Tue Dec 06 09:33:29 CET 2016 ================================================================================ diff --git a/src/version.h b/src/version.h index eb14a3db..a7806493 100644 --- a/src/version.h +++ b/src/version.h @@ -1 +1 @@ -#define REDIS_VERSION "3.2.6" +#define REDIS_VERSION "3.2.7"