6.2.8

Upgrade urgency: MODERATE, Contains fixes for a few non-critical or unlikely bugs

Performance and resource utilization improvements

• Optimize zset conversion on large ZRANGESTORE (#10789)

Module API changes

• Fix crash in CLIENT_CHANGE event, when the selected database is not 0 (#11500)
• Fix RM_SetAbsExpire and RM_GetAbsExpire API registration (#11025, #8564)

Security improvements

• Sentinel: avoid logging auth-pass value (#9652)

Bug Fixes

• Fix a crash when a Lua script returns a meta-table (#11032)
• Fix ZRANGESTORE crash when zset_max_listpack_entries is 0 (#10767)
• Unpause clients after manual failover ends instead of waiting for timed (#9676)
• TLS: Notify clients on connection shutdown (#10931)
• Avoid hang of diskless replication fork child when parent crashes (#11463)
• Fix sentinel function that compares hostnames if failed resolve (#11419)
• Fix a hang when eviction is combined with lazy-free and maxmemory-eviction-tenacity
  is set to 100 (#11237)
• Fix bug with scripts ignoring client tracking NOLOOP (#11052)
• Fix client-side tracking breaking protocol when FLUSHDB / FLUSHALL / SWAPDB is
  used inside MULTI-EXEC (#11038)
• Fix BITFIELD overflow detection on some compilers due to undefined behavior (#9601)

7.0.5

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2022-35951) Executing a XAUTOCLAIM command on a stream key in a specific
  state, with a specially crafted COUNT argument, may cause an integer overflow,
  a subsequent heap overflow, and potentially lead to remote code execution.
  The problem affects Redis versions 7.0.0 or newer
  [reported by Xion (SeungHyun Lee) of KAIST GoN].

Module API changes

• Fix RM_Call execution of scripts when used with M/W/S flags to properly
  handle script flags (#11159)
• Fix RM_SetAbsExpire and RM_GetAbsExpire API registration (#11025, #8564)

Bug Fixes

• Fix a hang when eviction is combined with lazy-free and maxmemory-eviction-tenacity is set to 100 (#11237)
• Fix a crash when a replica may attempt to set itself as its master as a result of a manual failover (#11263)
• Fix a bug where a cluster-enabled replica node may permanently set its master's hostname to '?' (#10696)
• Fix a crash when a Lua script returns a meta-table (#11032)

Fixes for issues in previous releases of Redis 7.0

• Fix redis-cli to do DNS lookup before sending CLUSTER MEET (#11151)
• Fix crash when a key is lazy expired during cluster key migration (#11176)
• Fix AOF rewrite to fsync the old AOF file when a new one is created (#11004)
• Fix some crashes involving a list containing entries larger than 1GB (#11242)
• Correctly handle scripts with a non-read-only shebang on a cluster replica (#11223)
• Fix memory leak when unloading a module (#11147)
• Fix bug with scripts ignoring client tracking NOLOOP (#11052)
• Fix client-side tracking breaking protocol when FLUSHDB / FLUSHALL / SWAPDB is used inside MULTI-EXEC (#11038)
• Fix ACL: BITFIELD with GET and also SET / INCRBY can be executed with read-only key permission (#11086)
• Fix missing sections for INFO ALL when also requesting a module info section (#11291)

7.0.4

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream
  key in a specific state may result with heap overflow, and potentially
  remote code execution. The problem affects Redis versions 7.0.0 or newer.

7.0.3

Upgrade urgency: MODERATE, specifically if you're using a previous release of
Redis 7.0, contains fixes for bugs in previous 7.0 releases.

Performance and resource utilization improvements

• Optimize zset conversion on large ZRANGESTORE (#10789)
• Optimize the performance of sending PING on large clusters (#10624)
• Allow for faster restart of Redis in cluster mode (#10912)

INFO fields and introspection changes

• Add missing sharded pubsub keychannel count to CLIENT LIST (#10895)
• Add missing pubsubshard_channels field in INFO STATS (#10929)

Module API changes

• Add RM_StringToULongLong and RM_CreateStringFromULongLong (#10889)
• Add RM_SetClientNameById and RM_GetClientNameById (#10839)

Changes in CLI tools

• Add missing cluster-port support to redis-cli --cluster (#10344)

Other General Improvements

• Account sharded pubsub channels memory consumption (#10925)
• Allow ECHO in loading and stale modes (#10853)
• Cluster: Throw -TRYAGAIN instead of -ASK on migrating nodes for multi-key
  commands when the node only has some of the keys (#9526)

Bug Fixes

• TLS: Notify clients on connection shutdown (#10931)
• Fsync directory while persisting AOF manifest, RDB file, and config file (#10737)
• Script that made modification will not break with unexpected NOREPLICAS error (#10855)
• Cluster: Fix a bug where nodes may not acknowledge a CLUSTER FAILOVER TAKEOVER
  after a replica reboots (#10798)
• Cluster: Fix crash during handshake and cluster shards call (#10942)

Fixes for issues in previous releases of Redis 7.0

• TLS: Fix issues with large replies (#10909)
• Correctly report the startup warning for vm.overcommit_memory (#10841)
• redis-server command line allow passing config name and value in the same argument (#10866)
• Support --save command line argument with no value for backwards compatibility (#10866)
• Fix CLUSTER RESET command regression requiring an argument (#10898)

7.0.2

Upgrade urgency: MODERATE, specifically if you're using a previous release of
Redis 7.0, contains fixes for bugs in previous 7.0 releases.

Bug Fixes

• Fixed SET and BITFIELD commands being wrongly marked movablekeys (#10837)
  Regression in 7.0 possibly resulting in excessive roundtrip from cluster clients.
• Fix crash when /proc/sys/vm/overcommit_memory is inaccessible (#10848)
  Regression in 7.0.1 resulting in crash on startup on some configurations.

7.0.1

Upgrade urgency: MODERATE, specifically if you're using a previous release of
Redis 7.0, contains some behavior changes for new 7.0 features and important
fixes for bugs in previous 7.0 releases.

Improvements

• Add warning for suspected slow system clocksource setting
  Add --check-system command line option. (#10636)
• Allow read-only scripts (*_RO commands, and ones with no-writes flag)
  during CLIENT PAUSE WRITE (#10744)
• Add readonly flag in COMMAND command for EVAL_RO, EVALSHA_RO and FCALL_RO (#10728)
• redis-server command line arguments now accept one string with spaces
  for multi-arg configs (#10660)

Potentially Breaking Changes

• Omitting a config option value in command line argument no longer works (#10660)
• Hide the may_replicate flag from the COMMAND command response (#10744)

Potentially Breaking Changes for new Redis 7.0 features

• Protocol: Sharded pubsub publish emits smessage instead of message (#10792)
• CLUSTER SHARDS returns slots as RESP integers, not strings (#10683)
• Block PFCOUNT and PUBLISH in read-only scripts (*_RO commands, and no-writes) (#10744)
• Scripts that declare the no-writes flag are implicitly allow-oom too (#10699)

Changes in CLI tools

• redis-cli --bigkeys, --memkeys, --hotkeys, --scan. Finish nicely after Ctrl+C (#10736)

Platform / toolchain support related improvements

• Support tcp-keepalive config interval on MacOs (#10667)
• Support RSS metrics on Haiku OS (#10687)

INFO fields and introspection changes

• Add isolated network metrics for replication. (#10062, #10810)

Module API changes

• Add two more new checks to RM_Call script mode (#10786)
• Add new RM_Call flag to let Redis automatically refuse deny-oom commands (#10786)
• Add module API RM_MallocUsableSize (#10795)
• Add missing REDISMODULE_NOTIFY_NEW (#10688)
• Fix cursor type in RedisModuleScanCursor to handle more than 2^31 elements (#10698)
• Fix RM_Yield bugs and RM_Call("EVAL") OOM check bug (#10786)
• Fix bugs in enum configs with overlapping bit flags (#10661)

Bug Fixes

• FLUSHALL correctly resets rdb_changes_since_last_save INFO field (#10691)
• FLUSHDB is now propagated to replicas / AOF, even if the db is empty (#10691)
• Replica fail and retry the PSYNC if the master is unresponsive (#10726)
• Fix ZRANGESTORE crash when zset_max_listpack_entries is 0 (#10767)

Fixes for issues in previous release candidates of Redis 7.0

• CONFIG REWRITE could cause a config change to be dropped for aliased configs (#10811)
• CONFIG REWRITE would omit rename-command and include lines (#10761)
  NOTE: Affected users who used Redis 7.0.0 to rewrite their configuration file
  should review and fix the file.
• Fix broken protocol after MISCONF (persistence) error (#10786)
• Fix --save command line regression (#10690)
• Fix possible regression around TLS config changes. re-load files even if the
  file name didn't change. (#10713)
• Re-add SENTINEL SLAVES command, missing in redis 7.0 (#10723)
• BZMPOP gets unblocked by non-key args and returns them (#10764)
• Fix possible memory leak in XADD and XTRIM (#10753)

7.0.0

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script
  can cause NULL pointer dereference which will result with a crash of the
  redis-server process. This issue affects all versions of Redis.
  [reported by Aviv Yahav].
• (CVE-2022-24735) By exploiting weaknesses in the Lua script execution
  environment, an attacker with access to Redis can inject Lua code that will
  execute with the (potentially higher) privileges of another Redis user.
  [reported by Aviv Yahav].

New Features

• Keyspace event for new keys (#10512)

Command replies that have been extended

• COMMAND DOCS shows deprecated_since field in command args (#10545)
• COMMAND DOCS shows module name where applicable (#10544)

Potentially Breaking Changes

• Replicas panic when they fail writing persistence (#10504)
• Prevent cross slot operations in functions and scripts with shebang (#10615)
• Rephrased some error responses about invalid commands or args (#10612)
• Lua scripts do not have access to the print() function (#10651)

Performance and resource utilization improvements

• Speed optimization in streams (#10574)
• Speed optimization in command execution pipeline (#10502)
• Speed optimization in listpack encoded sorted (#10486)
• Speed optimization in latency tracking at INFO (relevant for 7.0 RCs) (#10606)
• Speed optimization when there are many replicas (relevant for 7.0 RCs) (#10588)

New configuration options

• Allow ignoring disk persistence errors on replicas (#10504)
• Allow abort with panic when replica fails to execute a command sent by the master (#10504)
• Allow configuring shutdown flags of SIGTERM and SIGINT (#10594)
• Allow attaching an operating system-specific identifier to Redis sockets (#10349)

Module API changes

• Add argument specifying ACL reason for module log entry (#10559)
  Breaking API compatibility with 7.0 RCs
• Add the deprecated_since field in command args of COMMAND DOCS (#10545)
  Breaking API/ABI compatibility with 7.0 RCs
• Add module API flag for using enum configs as bit flags (#10643)
• Add RM_PublishMessageShard (#10543)
• Add RM_MallocSizeString, RM_MallocSizeDict (#10542)
• Add RM_TryAlloc (#10541)

Bug Fixes

• Replica report disk persistence errors in PING (#10603)
• Fixes around rejecting commands on replicas and AOF when they must be respected (#10603)
• Durability fixes for appendfsync=always policy (#9678)

Fixes for issues in previous release candidates of Redis 7.0

• Fix possible crash on CONFIG REWRITE (#10598)
• Fix regression not aborting transaction on errors (#10612)
• Fix auto-aof-rewrite-percentage based AOFRW trigger after restart (#10550)
• Fix bugs when AOF enabled after startup, in case of failure before the first rewrite completes (#10616)
• Fix RM_Yield module API bug processing future commands of the current client (#10573)

6.2.7

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script
  can cause NULL pointer dereference which will result with a crash of the
  redis-server process. This issue affects all versions of Redis.
  [reported by Aviv Yahav].
• (CVE-2022-24735) By exploiting weaknesses in the Lua script execution
  environment, an attacker with access to Redis can inject Lua code that will
  execute with the (potentially higher) privileges of another Redis user.
  [reported by Aviv Yahav].

Potentially Breaking Fixes

• LPOP/RPOP with count against non-existing list return null array (#10095)
• LPOP/RPOP used to produce wrong replies when count is 0 (#9692)

Performance and resource utilization improvements

• Speed optimization in command execution pipeline (#10502)
• Fix regression in Z[REV]RANGE commands (by-rank) introduced in Redis 6.2 (#10337)

Platform / toolchain support related improvements

• Fix RSS metrics on NetBSD and OpenBSD (#10116, #10149)
• Fix OpenSSL 3.0.x related issues (#10291)

Bug Fixes

• Lua: Add checks for min-slave-* configs when evaluating Lua scripts (#10160)
• Lua: fix crash on a script call with many arguments, a regression in v6.2.6 (#9809)
• Tracking: Make invalidation messages always after command's reply (#9422)
• Fix excessive stream trimming due to an overflow (#10068)
• Add missed error counting for INFO errorstats (#9646)
• Fix geo search bounding box check causing missing results (#10018)
• Improve EXPIRE TTL overflow detection (#9839)
• Modules: Fix thread safety violation when a module thread adds an error reply, broken in 6.2 (#10278)
• Modules: Fix missing and duplicate error stats (#10278)
• Module APIs: release clients blocked on module commands in cluster resharding
  and down state (#9483)
• Sentinel: Fix memory leak with TLS (#9753)
• Sentinel: Fix issues with hostname support (#10146)
• Sentinel: Fix election failures on certain container environments (#10197)

7.0-rc3

New Features

New administrative and introspection commands and command arguments

• CLUSTER SHARDS command deprecates CLUSTER SLOTS (#10293)

Potentially Breaking Changes

• CONFIG GET response returned in a non-deterministic order.
  It's possible that a client was relying on configs order (#10323)
• SORT / SORT_RO commands reject keys access patterns in GET and BY if ACL
  doesn't grant the command full keyspace access (#10340)
• FUNCTION LOAD command introduced in 7.0-RC1 was stripped of the ENGINE, and
  NAME arguments which are now part of the script itself. The DESCRIPTION
  argument was completely removed (#10500)
• Set disable-thp config to be immutable (#10409)

Performance and resource utilization improvements

• Optimize performance and memory usage on replicas (#10413)
• A faster and more robust code of zslRandomLevel using RAND_MAX (#5539)

Changes in CLI tools

• redis-cli: Use exit code 1 on error (#10468)
• redis-cli: Do DNS lookup before sending CLUSTER MEET (#10436)
• redis-benchmark: Fix --cluster with IPv6. (#10393)
• redis-cli: Better --json Unicode support and --quoted-json (#10286)

INFO fields and introspection changes

• MEMORY STATS: Show cluster.links memory usage (#10302)

Module API changes

• APIs for exposing module configs to config file and CONFIG command (#10285)
• Add an event notifying about configuration changes (#10311)
• Add API for redacting command arguments from SLOWLOG and MONITOR (#10425)
• RM_Call: new flags for script mode compatibility, no writes, and error replies (#10372)

Bug Fixes

• Sentinel: Fix no reconnect after auth-pass is changed (#10400)
• Cluster: Fix race condition: Turn into replica on SETSLOT (#10489, #10381)
• XREADGROUP: Unblock client when the stream key is deleted (#10306)

Fixes for issue in previous release candidates of Redis 7.0

• ACL DRYRUN does not validate the verified command args. (#10405)
• ACL DRYRUN returns the tested common permission error (#10359)
• Incorrect parsing of hostname information from nodes.conf (#10435)
• BITSET and BITFIELD SET should propagate even if just length changed (#10459)
• SHUTDOWN, Fix a possible crash when the shutdown was aborted (#10440)
• Script should not allow may-replicate commands when client pause write (#10364)
• Optimization tracking memory usage from i/o threads. (#10401)
• Initialize help when using redis-cli help or redis-cli ? (#10382)
• Dismiss COW of client output buffer now that it's dynamic (#10371)
• Fix memory corruption when EVAL fails before being processed (#10519)

7.0-rc2

New Features

• Add stream consumer group lag tracking and reporting (#9127)
• Add API for functions and eval Lua scripts to check ACL explicitly (#10220)

New user commands or command arguments

• COMMAND GETKEYSANDFLAGS sub-command (#10237)
• INFO command can take multiple section arguments (#6891)
• XGROUP CREATE and SETID: new ENTRIESREAD optional argument (#9127)
• XSETID new ENTRIESADDED and MAXDELETEDID optional arguments (#9127)

Command replies that have been extended

• XINFO reports consumer group lag and a few other fields (#9127)
• XAUTOCLAIM returns a new element with a list of deletes IDs (#10227)

Potentially Breaking Changes

• X[AUTO]CLAIM skips deleted entries instead of replying with Nil, and deletes
  them from the pending entry list (#10227)
• Fix messed up error codes returned from EVAL scripts (#10218, #10329)
• COMMAND INFO, Renames key-spec "CHANNEL" flag to be "NOT_KEY" (#10299)

Performance and resource utilization improvements

• Reduce system calls and small packets for client replies (#9934)
• Reduce memory usage of stale clients (#9822)
• Fix regression in Z[REV]RANGE commands (by-rank) introduced in Redis 6.2 (#10337)

Changes in CLI tools

• Adapt redis-check-aof tool for Multi Part AOF (#10061)
• Enable redis-benchmark to use RESP3 protocol mode (#10335)

Platform / toolchain support related improvements

• Fix OpenSSL 3.0.x related issues (#10291)

INFO fields and introspection changes

• COMMAND INFO key-specs has new variable_flags flag (#10237, #10148)
• INFO stats: add aof_rewrites and rdb_snapshots counters (#10178)
• INFO stats: add reply_buffer_shrinks and reply_buffer_expends (#9822)
• INFO modules: add no-implicit-signal-modified module option (#10284)

Module API changes

• Add RM_SetCommandInfo API to set command metadata for the new COMMAND
  introspection features and ACL key permissions (#10108)
• Add RM_KeyAtPosWithFlags and RM_GetCommandKeysWithFlags APIs (#10237)
• Add getchannels-api command flag and RM_IsChannelsPositionRequest,
  RM_ChannelAtPosWithFlags APIs (#10299)
• Change RM_ACLCheckChannelPermissions and RM_ACLCheckKeyPermissions APIs
  (released in RC1) to take different flags (#10299)
• Fix RM_SetModuleOptions flag collision. Bug in 7.0 RC1 header file, modules
  that used OPTIONS_HANDLE_REPL_ASYNC_LOAD will mess up key invalidations (#10284)

Bug Fixes

• Modules: Fix thread safety violation when a module thread adds an error reply,
  broken in 6.2 (#10278)
• Lua: Fix Eval scripts active defrag, broken 7.0 in RC1 (#10271)
• Fix geo search bounding box check causing missing results (#10018)
• Lua: Add checks for min-slave-* configs when evaluating Lua scripts and
  Functions (#10160)
• Modules: Prevent crashes and memory leaks when MODULE UNLOAD is used on module
  with a pending timer (#10187)
• Fix error stats and failed command stats for blocked clients (#10309)
• Lua/Modules: Fix missing and duplicate error stats for scripts and modules (#10329, #10278)
• Check target node is a primary during cluster setslot (#10277)
• Fix key deletion not to invalidate WATCH when used on a logically expired key (#10256)
• Sentinel: return an error if configuration save fails (#10151)
• Sentinel: fix a free-after-use issue re-registering Sentinels (#10333)