mirror of
https://github.com/fluencelabs/redis
synced 2025-05-14 11:31:21 +00:00
Redis 3.2.7.
This commit is contained in:
antirez
parent
3876d985a8
commit
af12f8ec3c
@ -10,6 +10,101 @@ HIGH: There is a critical bug that may affect a subset of users. Upgrade!
|
||||
CRITICAL: There is a critical bug affecting MOST USERS. Upgrade ASAP.
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
================================================================================
|
||||
Redis 3.2.7 Released Tue Jan 31 16:21:41 CET 2017
|
||||
================================================================================
|
||||
|
||||
Upgrade urgency HIGH: This release fixes important security and correctness
|
||||
issues. It is especially important to upgrade for Redis
|
||||
Cluster users and for users running Redis in their laptop
|
||||
since a cross-scripting attack is fixed in this release.
|
||||
|
||||
Main bugs fixes and improvements in this release:
|
||||
|
||||
1. MIGRATE could incorrectly move keys between Redis Cluster nodes by turning
|
||||
keys with an expire set into persisting keys. This bug was introduced with
|
||||
the multiple-keys migration recently. It is now fixed. Only applies to
|
||||
Redis Cluster users that use the resharding features of Redis Cluster.
|
||||
|
||||
2. As Redis 4.0 beta and the unstable branch already did (for some months at
|
||||
this point), Redis 3.2.7 also aliases the Host: and POST commands to QUIT
|
||||
avoiding to process the remaining pipeline if there are pending commands.
|
||||
This is a security protection against a "Cross Scripting" attack, that
|
||||
usually involves trying to feed Redis with HTTP in order to execute commands.
|
||||
Example: a developer is running a local copy of Redis for development
|
||||
purposes. She also runs a web browser in the same computer. The web browser
|
||||
could send an HTTP request to http://127.0.0.1:6379 in order to access the
|
||||
Redis instance, since a specially crafted HTTP requesta may also be partially
|
||||
valid Redis protocol. However if POST and Host: break the connection, this
|
||||
problem should be avoided. IMPORTANT: It is important to realize that it
|
||||
is not impossible that another way will be found to talk with a localhost
|
||||
Redis using a Cross Protocol attack not involving sending POST or Host: so
|
||||
this is only a layer of protection but not a definitive fix for this class
|
||||
of issues.
|
||||
|
||||
3. A ziplist bug that could cause data corruption, could crash the server and
|
||||
MAY ALSO HAVE SECURITY IMPLICATIONS was fixed. The bug looks complex to
|
||||
exploit, but attacks always get worse, never better (cit). The bug is very
|
||||
very hard to catch in practice, it required manual analysis of the ziplist
|
||||
code in order to be found. However it is also possible that rarely it
|
||||
happened in the wild. Upgrading is required if you use LINSERT and other
|
||||
in-the-middle list manipulation commands.
|
||||
|
||||
4. We upgraded to Jemalloc 4.4.0 since the version we used to ship with Redis
|
||||
was an early 4.0 release of Jemalloc. This version may have several
|
||||
improvements including the ability to better reclaim/use the memory of
|
||||
system.
|
||||
|
||||
The following is the list of commits:
|
||||
|
||||
antirez in commit 3876d98:
|
||||
Ziplist: insertion bug under particular conditions fixed.
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
antirez in commit 153f2f0:
|
||||
Jemalloc updated to 4.4.0.
|
||||
150 files changed, 17271 insertions(+), 6356 deletions(-)
|
||||
|
||||
miter in commit ca532c9:
|
||||
Change switch statment to if statment
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
oranagra in commit a735035:
|
||||
fix rare assertion in DEBUG DIGEST
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
Itamar Haber in commit b917e3f:
|
||||
Verify pairs are provided after subcommands
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
antirez in commit 1177cf6:
|
||||
Avoid geo.c warning in initialization.
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
antirez in commit 874804d:
|
||||
Security: Cross Protocol Scripting protection.
|
||||
3 files changed, 27 insertions(+), 2 deletions(-)
|
||||
|
||||
antirez in commit 273cd7f:
|
||||
Ziplist: remove static from functions, they prevent good crash reports.
|
||||
1 file changed, 14 insertions(+), 14 deletions(-)
|
||||
|
||||
Jan-Erik Rediger in commit 389b9f5:
|
||||
Initialize help only in repl mode
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
Yossi Gottlieb in commit 1370a88:
|
||||
Fix redis-cli rare crash.
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
antirez in commit 68aab8e:
|
||||
MIGRATE: Remove upfront ttl initialization.
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
Jan-Erik Rediger in commit 788e892:
|
||||
Reset the ttl for additional keys
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
================================================================================
|
||||
Redis 3.2.6 Released Tue Dec 06 09:33:29 CET 2016
|
||||
================================================================================
|
||||
|
||||
@ -1 +1 @@
|
||||
#define REDIS_VERSION "3.2.6"
|
||||
#define REDIS_VERSION "3.2.7"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user