Redis Enterprise Software 发行说明 7.4.2-104（2024 年 3 月）

新的 Cluster Manager UI 增强功能，可从登录屏幕更改密码、查看锁定的用户帐户以及通过密码重置解锁用户帐户。

Redis 企业软件

这是 Redis Enterprise Software 版本 7.4.2 的维护版本。

突出

此版本提供：

用于密码管理和识别锁定用户帐户的新 Cluster Manager UI 增强功能

此版本中的新增功能

增强

新的 Cluster Manager UI 增强功能：
- 您可以从登录屏幕更改密码。
- 在“访问控制>用户”屏幕中添加了“用户已被锁定”标签，以帮助管理员识别和管理锁定的用户。

Redis 模块功能集

Redis Enterprise 附带多个模块。从版本 7.4.2 开始，Redis Enterprise 包括两个功能集，与不同的 Redis 数据库版本兼容。

与 Redis 数据库版本 7.2 兼容的捆绑 Redis 模块：

与 Redis 数据库版本 6.0 和 6.2 兼容的捆绑 Redis 模块：

已解决的问题

RS112165：metrics_exporter现在报告bdb_crdt_syncer_status数据库内存不足事件期间的指标。
RS115577：已更改connect_timeout和read_timeoutS3 的值从 30 秒到 60 秒不等。
RS98042：主节点现在记录所有replace_node错误。
RS118147：为 OSS 集群端口映射配置动态分配缓冲区大小。
RS114971：更新endpoint什么时候oss_cluster_api_preferred_ip_type变化。
RS121248：修复了一个已知问题，该问题阻止创建将 Redis 版本 6.0 或 6.2 与模块结合使用的主动-主动数据库。

版本变更

删除了阻止向集群许可证过期的集群添加节点的限制，该限制有时会导致 Kubernetes 部署出现问题。

为避免因集群许可证过期而导致问题，我们建议在到期日期之前更换许可证。请参阅更新集群许可证以获取集群管理器 UI 说明或使用PUT /v1/licenseREST API 请求。

重大更改

#1131、#1143： RedisJSON v2.6.9 将 JSONPath 默认路径值从$.在 RESP3 下。

弃用

API 弃用

BDB REST API 对象的background_op字段已弃用。用GET v1/actions/bdb/<bdb_uid>相反。

支持的平台

下表提供了截至此 Redis Enterprise Software 版本支持的平台的快照。有关作系统兼容性的更多详细信息，请参阅支持的平台参考。

✅ 支持 – 此版本的 Redis Enterprise 软件和 Redis Stack 模块支持该平台。

⚠️弃用警告 – 此版本的 Redis Enterprise Software 仍支持该平台，但在未来版本中将取消支持。

Redis Enterprise 主要版本	7.4	7.2	6.4	6.2
发布日期	2024 年 2 月	2023 年 8 月	2023 年 2 月	2021 年 8 月
生命周期结束日期	在下一个主要版本之后确定	2025 年 7 月	2025 年 2 月	2024 年 8 月
平台
RHEL 9 和兼容的发行版¹	✅	–	–	–
RHEL 8 和兼容的发行版¹	✅	✅	✅	✅
RHEL 7 和兼容的发行版¹	–	⚠️	✅	✅
Ubuntu 20.04 版本²	✅	✅	✅	–
Ubuntu 18.04 版本²	⚠️	⚠️	✅	✅
Ubuntu 16.04 版本²	–	⚠️	✅	✅
Amazon Linux 2	✅	✅	✅	–
亚马逊 Linux 1	–	✅	✅	✅
Kubernetes （简体中文）³	✅	✅	✅	✅
码头工人⁴	✅	✅	✅	✅

如果 RHEL 兼容发行版 CentOS、CentOS Stream、Alma 和 Rocky 具有完全的 RHEL 兼容性，则支持它们。支持运行 Red Hat 兼容内核（RHCK）的 Oracle Linux，但不支持 Unbreakable Enterprise Kernel （UEK）。
建议将 Ubuntu 的服务器版本用于生产安装。桌面版本仅建议用于开发部署。
有关每个版本和 Kubernetes 发行版的支持的详细信息，请参阅 Redis Enterprise for Kubernetes 文档。
Redis Enterprise Software 的 Docker 映像仅经过认证，可用于开发和测试。

下载

下表显示了可用软件包的 MD5 校验和：

包	MD5 校验和（7.4.2-104 3 月版）
Ubuntu 18 的	a65c8505f5e0e1bdff63fb778b010856
Ubuntu 20 的	7c3e0aef16147c26fd5f1089e6f68dc2
Red Hat Enterprise Linux （RHEL） 8	31df503bafdf43330be74267075401e3
Red Hat Enterprise Linux （RHEL） 9	52199b917ebaab05352227c4c9c008ac
Amazon Linux 2	3823405fe934ce590aa6a9c71001168e

已知问题

RS61676：如果链中的任何证书没有公用名（CN），则完整链证书更新将失败。
RS119958: Thedebuginfo脚本失败并显示错误/bin/tar: Argument list too long由于 RocksDB 日志文件过多。
RS122570：REST APIPOST /crdbs如果集群没有符合请求的 featureet 的 CRDB 兼容模块，则以令人困惑的错误消息响应。

已知限制

由于文件权限，RHEL 9 上的 firewalld 配置失败

在 RHEL 9 上安装 Redis Enterprise Software 版本 7.4.2 时，firewalld配置无法添加redislabsservice （如果/etc/firewalld/services/redislabs-clients.xml和/etc/firewalld/services/redislabs.xml归redislabs而不是root.

解决方法：

将文件的所有者和组更改为root:

$ chown root:root /etc/firewalld/services/redislabs-clients.xml
$ chown root:root /etc/firewalld/services/redislabs.xml



Add the redislabs service to firewalld:
$ systemctl daemon-reload
$ systemctl restart firewalls
$ /bin/firewall-cmd --add-service=redislabs


This limitation will be fixed in a future maintenance release.
Security
Open source Redis security fixes compatibility
As part of Redis's commitment to security, Redis Enterprise Software implements the latest security fixes available with open source Redis. Redis Enterprise has already included the fixes for the relevant CVEs.
Some CVEs announced for open source Redis do not affect Redis Enterprise due to different or additional functionality available in Redis Enterprise that is not available in open source Redis.
Redis Enterprise 7.4.2-104 supports open source Redis 7.2, 6.2, and 6.0. Below is the list of open source Redis CVEs fixed by version.
Redis 7.2.x:


(CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution.


(CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.2.1)


Redis 7.0.x:


(CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution.


(CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.0.13)


(CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption, and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules. (Redis 7.0.12)


(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. (Redis 7.0.11)


(CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service. (Redis 7.0.10)


(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 7.0.9)


(CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service. (Redis 7.0.8)


(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. (Redis 7.0.9)


(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic. (Redis 7.0.8)


(CVE-2022-35951) Executing an XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.5)


(CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream key in a specific state may result in heap overflow and potentially remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.4)


(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 7.0.12)


(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the redis-server process. This issue affects all versions of Redis. (Redis 7.0.0)


(CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 7.0.0)


Redis 6.2.x:


(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. (Redis 6.2.12)


(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 6.2.11)


(CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service. (Redis 6.2.9)


(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. (Redis 6.2.11)


(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic. (Redis 6.2.9)


(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 6.2.13)


(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the redis-server process. This issue affects all versions of Redis. (Redis 6.2.7)


(CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 6.2.7)


(CVE-2021-41099) Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured to a non-default, very large value. (Redis 6.2.6)


(CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on some older and less common platforms. (Redis 6.2.6)


(CVE-2021-32761) An integer overflow bug in Redis version 2.2 or newer can be exploited using the BITFIELD command to corrupt the heap and potentially result with remote code execution. (Redis 6.2.5)


(CVE-2021-32687) Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value. (Redis 6.2.6)


(CVE-2021-32675) Denial Of Service when processing RESP request payloads with a large number of elements on many connections. (Redis 6.2.6)


(CVE-2021-32672) Random heap reading issue with Lua Debugger. (Redis 6.2.6)


(CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value. (Redis 6.2.6)


(CVE-2021-32627) Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for proto-max-bulk-len and client-query-buffer-limit. (Redis 6.2.6)


(CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer overflow. (Redis 6.2.6)


(CVE-2021-32625) An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. (Redis 6.2.4)


(CVE-2021-29478) An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it. The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2). (Redis 6.2.3)


(CVE-2021-29477) An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. The integer overflow bug exists in all versions of Redis starting with 6.0. (Redis 6.2.3)


Redis 6.0.x:


(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 6.0.20)


(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. (Redis 6.0.19)


(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 6.0.18)


(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. (Redis 6.0.18)


(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic. (Redis 6.0.17)



        

  
  
    
      RATE THIS PAGE
      
        
        
        ★
        
        
        ★
        
        
        ★
        
        
        ★
        
        
        ★
        
      
      
    
      Back to top ↑