Upgrade urgency SECURITY: See security fixes below.

Security fixes

• (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory
  buffers which can result in incorrect accounting of buffer sizes and lead to
  heap overflow and potential remote code execution.

Bug fixes

• Fix crashes of cluster commands clusters with mixed versions of 7.0 and 7.2 (#12805, #12832)
• Fix slot ownership not being properly handled when deleting a slot from a node (#12564)
• Fix atomicity issues with the RedisModuleEvent_Key module API event (#12733)

Upgrade urgency SECURITY: See security fixes below.

Security fixes

• (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory
  buffers which can result in incorrect accounting of buffer sizes and lead to
  heap overflow and potential remote code execution.

Upgrade urgency: HIGH, Fixes critical bugs affecting most users.

Bug fixes

• Fix file descriptor leak preventing deleted files from freeing disk space on
  replicas (#12693)
• Fix a possible crash after cluster node removal (#12702)

Upgrade urgency SECURITY: See security fixes below.

Security fixes

• (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a
  race condition that can be used by another process to bypass desired Unix
  socket permissions on startup.

Platform / toolchain support related changes

• Fix compilation error on MacOS 13 (#12611)

Bug fixes

• WAITAOF could timeout in the absence of write traffic in case a new AOF is
  created and an AOF rewrite can't immediately start (#12620)

Redis cluster

• Fix crash when running rebalance command in a mixed cluster of 7.0 and 7.2
  nodes (#12604)
• Fix the return type of the slot number in cluster shards to integer, which
  makes it consistent with past behavior (#12561)
• Fix CLUSTER commands are called from modules or scripts to return TLS info
  appropriately (#12569)

Changes in CLI tools

• redis-cli, fix crash on reconnect when in SUBSCRIBE mode (#12571)

Module API changes

• Fix overflow calculation for next timer event (#12474)

Upgrade urgency SECURITY: See security fixes below.

Security fixes

• (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a
  race condition that can be used by another process to bypass desired Unix
  socket permissions on startup.

Upgrade urgency SECURITY: See security fixes below.

Security fixes

• (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a
  race condition that can be used by another process to bypass desired Unix
  socket permissions on startup.

Upgrade urgency SECURITY: See security fixes below.

Security Fixes

• (CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and,
  as a result, may grant users executing this command access to keys that are not
  explicitly authorized by the ACL configuration.

Bug Fixes

• Fix crashes when joining a node to an existing 7.0 Redis Cluster (#12538)
• Correct request_policy and response_policy command tips on for some admin /
  configuration commands (#12545, #12530)

Upgrade urgency SECURITY: See security fixes below.

Security Fixes

• (CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and
  as a result may grant users executing this command access to keys that are not
  explicitly authorized by the ACL configuration.

Bug Fixes

• Cluster: fix a race condition where a slot migration may revert on a
  subsequent failover or node joining (#12344)
• Ensure that the function load timeout is disabled during loading from RDB/AOF
  and on replicas. (#12451)
• Fix the assertion when script timeout occurs after it signaled a blocked client (#12459)

Upgrade urgency LOW: This is the first stable Release for Redis 7.2.

Bug Fixes

• redis-cli in cluster mode handles unknown-endpoint (#12273)
• Update request / response policy hints for a few commands (#12417)
• Ensure that the function load timeout is disabled during loading from RDB/AOF and on replicas. (#12451)
• Fix false success and a memory leak for ACL selector with bad parenthesis combination (#12452)
• Fix the assertion when script timeout occurs after it signaled a blocked client (#12459)

Fixes for issues in previous releases of Redis 7.2

• Update MONITOR client's memory correctly for INFO and client-eviction (#12420)
• The response of cluster nodes was unnecessarily adding an extra comma when no
  hostname was present. (#12411)

Upgrade urgency SECURITY: See security fixes below.

Security Fixes:

• (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
  a heap overflow in the cjson and cmsgpack libraries, and result in heap
  corruption and potentially remote code execution. The problem exists in all
  versions of Redis with Lua scripting support, starting from 2.6, and affects
  only authenticated and authorized users.
• (CVE-2023-36824) Extracting key names from a command and a list of arguments
  may, in some cases, trigger a heap overflow and result in reading random heap
  memory, heap corruption and potentially remote code execution. Specifically:
  using COMMAND GETKEYS* and validation of key names in ACL rules.

Bug Fixes

• Re-enable downscale rehashing while there is a fork child (#12276)
• Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count> (#12276)
• Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)
• Fix WAIT to be effective after a blocked module command being unblocked (#12220)
• Avoid unnecessary full sync after master restart in a rare case (#12088)