---
- branch: MAIN
  date: Mon Jul 10 16:17:42 UTC 2023
  files:
  - new: '1.81'
    old: '1.80'
    path: pkgsrc/databases/redis/Makefile
    pathrev: pkgsrc/databases/redis/Makefile@1.81
    type: modified
  - new: '1.74'
    old: '1.73'
    path: pkgsrc/databases/redis/distinfo
    pathrev: pkgsrc/databases/redis/distinfo@1.74
    type: modified
  id: 20230710T161742Z.3e1fbeb07155004aa6236e017b5bb7575efac3a1
  log: |
    redis: updated to 7.0.12

    Redis 7.0.12

    Upgrade urgency SECURITY: See security fixes below.

    Security Fixes:
    * (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
      a heap overflow in the cjson and cmsgpack libraries, and result in heap
      corruption and potentially remote code execution. The problem exists in all
      versions of Redis with Lua scripting support, starting from 2.6, and affects
      only authenticated and authorized users.
    * (CVE-2023-36824) Extracting key names from a command and a list of arguments
      may, in some cases, trigger a heap overflow and result in reading random heap
      memory, heap corruption and potentially remote code execution. Specifically:
      using COMMAND GETKEYS* and validation of key names in ACL rules.

    Bug Fixes
    * Re-enable downscale rehashing while there is a fork child
    * Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with `<count>`
    * Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction
    * Fix WAIT to be effective after a blocked module command being unblocked
    * Avoid unnecessary full sync after master restart in a rare case
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/databases/redis'
  unixtime: '1689005862'
  user: adam