Redis 企业软件发行说明 7.2.4-92（2023 年 11 月）

新的集群管理器 UI 增强功能 - LDAP 配置改进。新增功能capability_name字段添加到模块 REST API 对象中。在集群升级时自动删除已弃用的预定义角色和 ACL，除非它们与任何用户或数据库关联。

Redis 企业软件

这是 Redis Enterprise Software 版本 7.2.4 的维护版本，最初作为版本 7.2.4-86 发布。版本 7.2.4-92 修复了影响版本 7.2.4-86 的几个其他问题。

突出

此版本提供：

新的 Cluster Manager UI 增强功能
新增功能capability_name模块 REST API 对象中的字段
在集群升级时自动删除已弃用的预定义角色和 ACL，除非它们与任何用户或数据库关联

此版本中的新增功能

增强

新的 Cluster Manager UI 增强功能：
- 改进了 LDAP 配置，并将其从 Cluster > Security > LDAP 移至 LDAP >访问控制 > 配置
新增功能capability_name字段已添加到模块 REST API 对象
升级集群时，将自动删除以下预定义角色和 ACL，除非它们与任何用户或数据库关联，如 Redis Enterprise Software 版本 7.2.4-52 弃用通知中所述：
- 自定义角色（不是管理角色）：Cluster Member、Cluster Viewer、DB Member、DB Viewer、None。
- Redis ACL：不危险且只读。

Redis 模块

Redis Enterprise Software 版本 7.2.4-92 和 7.2.4-86 包括以下 Redis 堆栈模块：

已解决的问题

Redis Enterprise Software 版本 7.2.4-92 中已解决以下问题：

RS114368 - 集群升级不应再显示redislabs用户或组已存在。
RS114185 - 解决了由于Failed to get default_suffix错误，该错误显示在dmcproxy.log.

Redis Enterprise Software 版本 7.2.4-86 中已解决以下问题：

RS109744 - 节点删除有时会卡在startingstate 时wait_for_persistence已启用。
RS110481 - 当主（主）节点具有新版本时，在升级过程中导入数据库失败。
RS111363 - 修复了旧版 UI 中的一个问题，即即使这些设置可见，您也无法在 settings > preferences （首选项）选项卡上更新和保存更改。
RS39744 - 该/opt/redislabs目录不是使用redislabs用户和组。
RS111648 - 在cnm_exec.log，将 “root” 替换为模块 utils 日志名称。
RS112517 - 修复了prepare_flash脚本，该脚本会降低 Ubuntu 20 上的 Auto Tiering 性能。
RS104189 - 添加了超时/shardsAPI 来防止分片卡住时响应时间过长。
RS108771 – 修复了包含源分片的节点关闭时的迁移问题。
RS105989 - 修复了集群升级期间的节点删除失败问题。
RS112568 - 修复了节点包含未分布到所有集群节点的模块的迁移和节点删除情况。
RS110204 - 修复了在分片关闭时，在升级期间请求时无法更改主（主）节点的问题。

版本变更

支持的平台

下表提供了截至此 Redis Enterprise Software 版本支持的平台的快照。有关作系统兼容性的更多详细信息，请参阅支持的平台参考。

✅ 支持 – 此版本的 Redis Enterprise Software 支持该平台。

⚠️已弃用 – 此版本的 Redis Enterprise Software 仍支持该平台，但在未来版本中将取消支持。

❌ 生命周期结束 – 平台支持在此版本的 Redis Enterprise Software 中结束。

Redis 企业版	7.2.4	6.4.2	6.2.18	6.2.12	6.2.10	6.2.8	6.2.4
发布日期	2023 年 8 月	2023 年 2 月	2022 年 9 月	2022 年 8 月	2022 年 2 月	2021 年 10 月	2021 年 8 月
生命周期结束日期	–	2025 年 2 月	2024 年 8 月	2024 年 8 月	2024 年 8 月	2024 年 8 月	2024 年 8 月
Ubuntu 浏览器¹
20.04	✅	✅⁶	–	–	–	–	–
18.04	⚠️	✅	✅	✅	✅	✅	✅
16.04	❌	⚠️	✅	✅	✅	✅	✅
RHEL & CentOS²
8.8	✅	✅⁸	–	–	–	–	–
8.7	✅	✅	–	–	–	–	–
8.5-8.6	✅	✅	✅	✅	✅	–	–
8.0-8.4	✅	✅	✅	✅	✅	✅	–
7.0-7.9	⚠️	✅	✅	✅	✅	✅	✅
甲骨文 Linux³
8	✅	✅	✅	✅	✅	–	–
7	⚠️	✅	✅	✅	✅	✅	✅
洛奇 Linux³
8	✅	✅	✅	–	–	–	–
Amazon Linux
2	✅	✅⁷	–	–	–	–	–
1	⚠️	✅	✅	✅	✅	✅	✅
码头工人⁴	✅	✅	✅	✅	✅	✅	✅
Kubernetes （简体中文）⁵	✅	✅	✅	✅	✅	✅	✅

建议将 Ubuntu 的服务器版本用于生产安装。桌面版本仅建议用于开发部署。
RHEL 和 CentOS 部署需要 OpenSSL 1.0.2 和防火墙配置。
基于相应的 RHEL 版本。
Redis Enterprise Software 的 Docker 映像仅经过认证，可用于开发和测试。
请参阅 Redis Enterprise for Kubernetes 文档。
Ubuntu 20.04 支持已在 Redis Enterprise Software 6.4.2-43 中添加。
Redis Enterprise Software 6.4.2-61 中添加了 Amazon Linux 2 支持的候选版本。Redis Enterprise Software 6.4.2-69 中添加了对 Amazon Linux 2 的官方支持。
Redis Enterprise Software 6.4.2-103 及更高版本支持 RHEL 8.8。

下载

下表显示了可用软件包的 MD5 校验和：

包	MD5 校验和（7.2.4-92 11 月版）
Ubuntu 18 的	17166732725284728162180d92e3fa72
Ubuntu 20 的	d4bd75933d95bbd18d487b9834180517
RedHat Enterprise Linux （RHEL） 7 Oracle Enterprise Linux （OL） 7	78447b4643fafb5dcec37c2981ca7b59
RedHat Enterprise Linux （RHEL） 8 Oracle Enterprise Linux （OL） 8 Rocky Enterprise Linux	6dc4f3ba3d789d8e02f7a963128b79a4
Amazon Linux 2	f829ecba9874ed30229736617ad8f0f8

已知问题

RS114185 - 在升级到 Redis Enterprise Software 版本 7.2.4-86 期间，代理可能无法启动，因为Failed to get default_suffix错误，该错误显示在dmcproxy.log.

解决方法是启动dmcproxy手动地：
```
supervisorctl restart dmcproxy
```
This issue was fixed in Redis Enterprise Software version 7.2.4-92.


Security
Open source Redis security fixes compatibility
As part of Redis's commitment to security, Redis Enterprise Software implements the latest security fixes available with open source Redis. Redis Enterprise has already included the fixes for the relevant CVEs.
Some CVEs announced for open source Redis do not affect Redis Enterprise due to different or additional functionality available in Redis Enterprise that is not available in open source Redis.
Redis Enterprise 7.2.4-92 and 7.2.4-86 support open source Redis 7.2, 6.2, and 6.0. Below is the list of open source Redis CVEs fixed by version.
Redis 7.2.x:


(CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution.


(CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.2.1)


Redis 7.0.x:


(CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution.


(CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.0.13)


(CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption, and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules. (Redis 7.0.12)


(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. (Redis 7.0.11)


(CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service. (Redis 7.0.10)


(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 7.0.9)


(CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service. (Redis 7.0.8)


(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. (Redis 7.0.9)


(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic. (Redis 7.0.8)


(CVE-2022-35951) Executing an XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.5)


(CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream key in a specific state may result in heap overflow and potentially remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.4)


(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 7.0.12)


(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the redis-server process. This issue affects all versions of Redis. (Redis 7.0.0)


(CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 7.0.0)


Redis 6.2.x:


(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. (Redis 6.2.12)


(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 6.2.11)


(CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service. (Redis 6.2.9)


(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. (Redis 6.2.11)


(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic. (Redis 6.2.9)


(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 6.2.13)


(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the redis-server process. This issue affects all versions of Redis. (Redis 6.2.7)


(CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 6.2.7)


(CVE-2021-41099) Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured to a non-default, very large value. (Redis 6.2.6)


(CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on some older and less common platforms. (Redis 6.2.6)


(CVE-2021-32761) An integer overflow bug in Redis version 2.2 or newer can be exploited using the BITFIELD command to corrupt the heap and potentially result with remote code execution. (Redis 6.2.5)


(CVE-2021-32687) Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value. (Redis 6.2.6)


(CVE-2021-32675) Denial Of Service when processing RESP request payloads with a large number of elements on many connections. (Redis 6.2.6)


(CVE-2021-32672) Random heap reading issue with Lua Debugger. (Redis 6.2.6)


(CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value. (Redis 6.2.6)


(CVE-2021-32627) Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for proto-max-bulk-len and client-query-buffer-limit. (Redis 6.2.6)


(CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer overflow. (Redis 6.2.6)


(CVE-2021-32625) An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. (Redis 6.2.4)


(CVE-2021-29478) An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it. The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2). (Redis 6.2.3)


(CVE-2021-29477) An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. The integer overflow bug exists in all versions of Redis starting with 6.0. (Redis 6.2.3)


Redis 6.0.x:


(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 6.0.20)


(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. (Redis 6.0.19)


(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 6.0.18)


(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. (Redis 6.0.18)


(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic. (Redis 6.0.17)



        

  
  
    
      RATE THIS PAGE
      
        
        
        ★
        
        
        ★
        
        
        ★
        
        
        ★
        
        
        ★
        
      
      
    
      Back to top ↑