@@ -10,6 +10,84 @@ HIGH: There is a critical bug that may affect a subset of users. Upgrade!
1010CRITICAL: There is a critical bug affecting MOST USERS. Upgrade ASAP.
1111--------------------------------------------------------------------------------
1212
13+ ================================================================================
14+ Redis 3.2.4 Released Mon Sep 26 08:58:21 CEST 2016
15+ ================================================================================
16+
17+ Upgrade urgency CRITICAL: Redis 3.2 and unstable contained a security
18+ vulnerability fixed by this release.
19+
20+ Hello Redis Wizards of the Memory Stores Empire,
21+
22+ this is a Redis critical release in order to fix a security issue
23+ which is documented clearly here:
24+
25+ https://github.com/antirez/redis/commit/6d9f8e2462fc2c426d48c941edeb78e5df7d2977
26+
27+ Thanks to Cory Duplantis of Cisco Talos for reporting the issue.
28+
29+ The gist is that using CONFIG SET calls (or by manipulating redis.conf)
30+ an attacker is able to compromise certain fields of the "server" global
31+ structure, including the aof filename pointer, that could be made pointing
32+ to something else. In turn the AOF name is used in different contexts such
33+ as logging, rename(2) and open(2) syscalls, leading to potential problems.
34+
35+ All Redis 3.2.x versions are affected.
36+
37+ This release also includes other things:
38+
39+ * TCP binding bug fixed when only certain addresses were available for
40+ a given port.
41+
42+ * A much better crash report that includes part of the Redis binary:
43+ this will allow to fix bugs even when we just have a crash log and
44+ no other help from the original poster oft the issue.
45+
46+ * A fix for Redis Cluster redis-trib displaying of info after creating
47+ a new cluster.
48+
49+ Please check the following list of commits for credits about who did what.
50+ Thanks to all the contributors and a special thank to Oran Agra for the
51+ help in this release.
52+
53+ List of commits:
54+
55+ antirez in commit 0539634:
56+ Security: CONFIG SET client-output-buffer-limit overflow fixed.
57+ 1 file changed, 5 insertions(+), 3 deletions(-)
58+
59+ antirez in commit c01abcd:
60+ fix the fix for the TCP binding.
61+ 1 file changed, 15 insertions(+), 10 deletions(-)
62+
63+ oranagra in commit a6d0698:
64+ fix tcp binding when IPv6 is unsupported
65+ 2 files changed, 14 insertions(+), 10 deletions(-)
66+
67+ antirez in commit 22b6c28:
68+ debug.c: no need to define _GNU_SOURCE, is defined in fmacros.h.
69+ 1 file changed, 1 deletion(-)
70+
71+ antirez in commit 9e9d398:
72+ crash log - improve code dump with more info and called symbols.
73+ 1 file changed, 59 insertions(+), 20 deletions(-)
74+
75+ oranagra in commit 3745c5d:
76+ crash log - add hex dump of function code
77+ 1 file changed, 22 insertions(+)
78+
79+ antirez in commit c1cc07b:
80+ Sentinel example config: warn about protected mode.
81+ 1 file changed, 16 insertions(+), 1 deletion(-)
82+
83+ rojingeorge in commit 011dc9f:
84+ Display the nodes summary once the cluster is established using redis-trib.rb
85+ 1 file changed, 5 insertions(+)
86+
87+ Guo Xiao in commit f4e3a94:
88+ Use the standard predefined identifier __func__ (since C99)
89+ 1 file changed, 1 insertion(+), 1 deletion(-)
90+
1391================================================================================
1492Redis 3.2.3 Released Tue Aug 02 10:55:24 CEST 2016
1593================================================================================
0 commit comments