Redis 8.0 and later are tri-licensed, the licence options are:
* Redis Source Available License v2
* Server Side Public License v1.0
* GNU Affero GPL v3.0
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These CVEs were ignored because they were tracked by NVD using
incorrect version information. Since then this information seems
to be reflected correctly, it is not needed to ignore them explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update:
- Upstream has removed incorrect gplv3 text from the license (because agplv3
is the correct), which changed the checksum
- The recipe had incorrect license indication. Redis 8 is not BSD licensed,
but depending on the user's choice, it's agplv3 or sspl (or custom redis
license, which is not added to the list)
Changelogs:
8.0.6:
- Security fix: A user can manipulate data read by a connection by
injecting \r\n sequences into a Redis error reply
8.0.5:
Bugfixes:
- HGETEX - potential crash when FIELDS is used and numfields is missing
- Potential crash on HyperLogLog with 2GB+ entries
- Cuckoo filter - Division by zero in Cuckoo filter insertion
- Cuckoo filter - Counter overflow
- Bloom filter - Arbitrary memory read/write with invalid filter
- Bloom filter - Out-of-bounds access with empty chain
- Bloom filter - Restore invalid filter [We thank AWS security for
responsibly disclosing the security bug]
- Top-k - Out-of-bounds access
8.0.4:
Security fixes
- (CVE-2025-49844) A Lua script may lead to remote code execution
- (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
- (CVE-2025-46818) A Lua script can be executed in the context of another user
- (CVE-2025-46819) LUA out-of-bound read
New Features
- VSIM: new EPSILON argument to specify maximum distance
Bug fixes
- Potential use-after-free after pubsub and Lua defrag
- Potential crash on Lua script defrag
- HINCRBYFLOAT removes field expiration on replica
- Prevent CLIENT UNBLOCK from unblocking CLIENT PAUSE
- Endless client blocking for blocking commands
- Vector sets - RDB format is not compatible with big endian machines
- EVAL crash when error table is empty
- Gracefully handle short read errors for hashes with TTL during full sync
8.0.3:
Security fixes
- (CVE-2025-32023) Fix out-of-bounds write in HyperLogLog commands
- (CVE-2025-48367) Retry accepting other connections even if the accepted connection reports an error
New Features
- VSIM: Add new WITHATTRIBS to return the JSON attribute associated with an element
Bug fixes
- A short read may lead to an exit() on a replica
- db->expires is not defragmented
8.0.2:
Security fixes
- (CVE-2025-27151) redis-check-aof may lead to stack overflow and potential RCE
Bug fixes
- Cron-based timers run twice as fast when active defrag is enabled
Other general improvements
- LOLWUT for Redis 8
8.0.1:
Performance and resource utilization improvements
- Vector sets - faster VSIM FILTER parsing
Bug fixes
- Query Engine - revert default policy search-on-timeout to RETURN
- Query Engine - @__key on FT.AGGREGATE used as reserved field name preventing access to Redis keyspace
- Query Engine - crash when calling FT.CURSOR DEL while retrieving from the CURSOR
Notes
- Fixed wrong text in the license files
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This version has been EOL since the end of February. There is a recipe
available for v8, which is still supported.
Drop this version.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This version has been EOL for a year now. There are recipes for two other,
still maintained versions in the layer.
Drop this version.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Without this redis embeds absoute build paths in the binaries, failing
qa check. These LDFLAGS were recently removed from oe-core[1] - this
change adds it back to this recipe.
The qa error was not showing with redis 6 recipe, so it is added only to
redis 7.
[1]: https://git.openembedded.org/openembedded-core/commit/?id=1797741aad02b8bf429fac4b81e30cdda64b5448
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Refine the CVE_STATUS description for CVE-2022-0543 to provide
a more precise explanation of this Debian-specific vulnerability.
The vulnerability originates from Debian's packaging methodology,
which loads system-wide Lua libraries (lua-cjson, lua-cmsgpack),
enabling Lua sandbox escape. Upstream Redis builds, including
those built by Yocto/OpenEmbedded, utilize embedded Lua from the
deps/ directory and are therefore not affected by this issue.
It is also fixed in Debian with this commit:
c7fd665150
References:
- https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
- https://nvd.nist.gov/vuln/detail/CVE-2022-0543
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes for CVE 46817[1], 46818[2], 47819[3] are included in the used version
[1] fc282edb61
[2] dccb672d83
[3] 2802b52b55
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The fix has been backported by upstream, and it is included in the used
version: d0eeee6e31
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The fix has been backported to both redis versions by upstream, and
both versions contain it already.
For 6.2.20 [1] contains the backported fix.
For 7.2.11 [2] contains the backported fix.
[1]: 5e93f9cb9d
[2]: 42fb340ce4
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
(CVE-2025-49844) A Lua script may lead to remote code execution
(CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
(CVE-2025-46818) A Lua script can be executed in the context of another user
(CVE-2025-46819) LUA out-of-bound read
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
6.2.19:
(CVE-2025-32023) Fix out-of-bounds write in HyperLogLog commands
(CVE-2025-48367) Retry accepting other connections even if the accepted connection reports an error
6.2.20:
(CVE-2025-49844) A Lua script may lead to remote code execution
(CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
(CVE-2025-46818) A Lua script can be executed in the context of another user
(CVE-2025-46819) LUA out-of-bound read
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This fixes a build race which is seen with high parallel builds ( -j 80)
Fixes
aarch64-yoe-linux-clang: error: no such file or directory: '../deps/hdr_histogram/libhdrhistogram.a'
aarch64-yoe-linux-clang: error: no such file or directory: '../deps/hdr_histogram/libhdrhistogram.a'
aarch64-yoe-linux-clang: error: no such file or directory: '../deps/fpconv/libfpconv.a'
make[1]: *** [Makefile:431: redis-benchmark] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:407: redis-server] Error 1
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
https://github.com/redis/redis/releases/tag/6.2.17https://github.com/redis/redis/releases/tag/6.2.18
Security fixes
==============
* (CVE-2024-46981) Lua script commands may lead to remote code execution
* (CVE-2025-21605) An unauthenticated client can cause an unlimited growth of output buffers
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/redis/redis/releases/tag/7.2.8
Update urgency: SECURITY: There are security fixes in the release.
Security fixes
==================
* (CVE-2025-21605) An unauthenticated client can cause an unlimited growth of output buffers
Bug fixes
=================
* #12817, #12905 Fix race condition issues between the main thread and module threads
* #13863 RANDOMKEY - infinite loop during client pause
* #13877 ShardID inconsistency when both primary and replica support it
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This upstream does not in fact use autotools, so remove the inherit.
Also, clean up a oe_runmake to not require a subshell.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Now hiredis can be used not only with Redis, but also with Valkey, an
open source key/value datastore that is fully compatible with Redis. As
Redis changed its license, many users have switched to Valkey. Add
RPROVIDES virtual-redis in both redis and valkey, and set it as the
runtime dependency of hiredis.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/redis/redis/releases/tag/7.2.7
Upgrade urgency SECURITY: See security fixes below.
Security fixes
====================
* (CVE-2024-46981) Lua script commands may lead to remote code execution
* (CVE-2024-51741) Denial-of-service due to malformed ACL selectors
Bug fixes
====================
* #13380 Possible crash due to OOM panic on invalid command
* #13338 Streams: XINFO lag field is wrong when tombstone is after the last_id of the consume group
* #13473 Streams: XTRIM does not update the maximal tombstone, leading to an incorrect lag
* #13311 Cluster: crash due to unblocking client during slot migration
* #13443 Cluster: crash when loading cluster config
* #13422 Cluster: CLUSTER SHARDS returns empty array
* #13465 Cluster: incompatibility with older node versions
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is Debian-specific CVE.
NVD tracks this CVE as version-less.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
Security fixes
==============
* (CVE-2024-31449) Lua library commands may lead to stack overflow and
potential RCE.
* (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern
matching.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-src-Do-not-reset-FINAL_LIBS.patch
0006-Define-correct-gregs-for-RISCV32.patch
lua-update-Makefile-to-use-environment-build-setting.patch
refreshed for 7.2.4
Changelog:
============
-(CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory
buffers which can result in incorrect accounting of buffer sizes and lead to
heap overflow and potential remote code execution.
-Fix crashes of cluster commands clusters with mixed versions of 7.0 and 7.2
-Fix slot ownership not being properly handled when deleting a slot from a node
-Fix atomicity issues with the RedisModuleEvent_Key module API event
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade urgency SECURITY: See security fixes below.
Security fixes:
(CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a
race condition that can be used by another process to bypass desired Unix
socket permissions on startup.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Configures the systemd service file for redis to create the required
state directory before redis starts.
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=============
-Fix file descriptor leak preventing deleted files from freeing disk space on
replicas
-Fix a possible crash after cluster node removal
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The Makefile uses pkg-config if USE_SYSTEMD is "yes".
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
* (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a
race condition that can be used by another process to bypass desired Unix
socket permissions on startup.
* Fix compilation error on MacOS 13 (#12611)
* WAITAOF could timeout in the absence of write traffic in case a new AOF is
created and an AOF rewrite can't immediately start (#12620)
* Fix crash when running rebalance command in a mixed cluster of 7.0 and 7.2
nodes (#12604)
* Fix the return type of the slot number in cluster shards to integer, which
makes it consistent with past behavior (#12561)
* Fix CLUSTER commands are called from modules or scripts to return TLS info
appropriately (#12569)
* redis-cli, fix crash on reconnect when in SUBSCRIBE mode (#12571)
* Fix overflow calculation for next timer event (#12474)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
-(CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and,
as a result, may grant users executing this command access to keys that are not
explicitly authorized by the ACL configuration.
-Fix crashes when joining a node to an existing 7.0 Redis Cluster (#12538)
Correct request_policy and response_policy command tips on for some admin /
configuration commands (#12545, #12530)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
-Re-enable downscale rehashing while there is a fork child (#12276)
-Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count> (#12276)
-Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)
-Fix WAIT to be effective after a blocked module command being unblocked (#12220)
-Avoid unnecessary full sync after master restart in a rare case (#12088)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelogg:
==========
Re-enable downscale rehashing while there is a fork child
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is new patch-status QA check in oe-core:
https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a
This is temporary work around just to hide _many_ warnings from
optional patch-status (if you add it to WARN_QA).
This just added
Upstream-Status: Pending
everywhere without actually investigating what's the proper status.
This is just to hide current QA warnings and to catch new .patch files being
added without Upstream-Status, but the number of Pending patches is now terrible:
5 (26%) meta-xfce
6 (50%) meta-perl
15 (42%) meta-webserver
21 (36%) meta-gnome
25 (57%) meta-filesystems
26 (43%) meta-initramfs
45 (45%) meta-python
47 (55%) meta-multimedia
312 (63%) meta-networking
756 (61%) meta-oe
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Recipes are not expected to set FILESPATH directly, they are
expected to use FILESEXTRAPATH.
I can see the seting of FILESPATH in this recipe only wants to
find redis-7 specific patches and files. This could be easily achieved by
using redis-7.0.11/ directory to hold all those files.
Using FILESPATH in this way removes the possibility of overriding
some files (e.g., the redis service file) from other layers via
FILESEXTRAPATH:prepend, which is kind of a common practice and is
actually working for basically all other recipes.
This is because we have:
meta/classes-global/base.bbclass:FILESPATH = "${@base_set_filespath(["${FILE_DIRNAME}/${BP}", "${FILE_DIRNAME}/${BPN}", "${FILE_DIRNAME}/files"], d)}"
And FILESEXTRAPATH is handled in base_set_filespath.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service
Bug Fixes
=========
* Large blocks of replica client output buffer may lead to psync loops and unnecessary memory usage (#11666)
* Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875)
* Trim excessive memory usage in stream nodes when exceeding `stream-node-max-bytes` (#11885)
* Fix module RM_Call commands failing with OOM when maxmemory is changed to zero (#11319)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Under sysvinit when trying to restart redis-server using
service redis-server restart two calls are made to start-stop-daemon, first
with the --stop argument and then with --start argument consecutively.
Because the process doesn't immediately terminate when start-stop-daemon
--stop is called, the next call to start-stop-daemon --start finds the
process still running and does not attempt to start another one.
This leads to only a stop of the redis-server process when a restart is
requested. This behavior affects all redis versions using sysvinit only.
This can be fixed by using the --retry <timeout/schedule> argument with
start-stop-daemon --stop in order for the call to block until the process
terminates so that start-stop-daemon --start will attempt to start a new
process.
Unfortunately the --retry argument works only in the implementation of
start-stop-daemon provided by dpkg package and is ignored in the
implementation provided by busybox package.
A repeated check if the process is still running and another try with
another signal after a timeout will effectively simulate a stop with
--retry=TERM/5/KILL/5 schedule.
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
