Redash Versions Save

Docker Tag: redash/redash:10.1.0.b50633

Summary

This release includes fixes for three security vulnerabilities (click the links for complete details to see whether your installation is affected):

• Insecure default configuration affects installations where REDASH_COOKIE_SECRET is not set explicitly (CVE-2021-41192)
• SSRF vulnerability affects installations that enabled URL-loading data sources (CVE-2021-43780)
• Incorrect usage of state parameter in OAuth client code affects installations where Google Login is enabled (CVE-2021-43777)

It also incorporates several fixes from master that merged after the V10.0 release.

See CHANGELOG for the full release notes.

Huge thanks to Ian Carroll and another reporter who preferred to remain anonymous for responsibly disclosing these vulnerabilities.

Upgrading

From V10.0:

Follow our standard upgrade process (reproduced below).

1. Make sure to backup your data. You only need to backup Redash’s PostgreSQL database (the database Redash stores metadata in, not the ones you might be querying) as the data in Redis is transient.
2. Change directory to /opt/redash.
3. Update /opt/redash/docker-compose.yml Redash image reference to redash/redash:10.1.0.b50633
4. Stop Redash services: docker-compose stop server scheduler scheduled_worker adhoc_worker (you might need to list additional services if you updated your configuration)
5. (No migrations are needed when upgrading from 10.0)
6. Read the Impact segment at this link. If your installation is affected, follow the instructions under the Patches heading to secure the secret fields in your database.
7. Start services with docker-compose up -d

From V9:

Follow the same steps as V10 but for step 5:

5. Apply migration: docker-compose run --rm server manage db upgrade

From V8 or earlier

1. Follow the complete steps outlined in the V10.0 release but use this Docker Tag in step 3: redash/redash:10.1.0.b50633
2. Read the Impact segment at this link. If your installation is affected, follow the instructions under the Patches heading to secure the secret fields in your database.

Docker Tag: redash/redash:10.0.0.b50363

See CHANGELOG for the full release notes.

How to Upgrade

Complete upgrade instructions for those coming from V8 -> V10 appear below.

---

Note: V10 is the first non-beta Redash release since V8. So we expect most users upgrading to V10 are coming from V8. The upgrade from V8->V10 is like any other, but since RQ replaced Celery in this version there are a couple extra modifications that need to be done in your docker-compose.yml.

If you already run the V9-beta release you already made these changes. You can use the standard upgrade instructions instead.

---

These steps are performed on the server that runs Docker.

1. Make sure to backup your data. You only need to backup Redash’s PostgreSQL database (the database Redash stores metadata in, not the ones you might be querying) as the data in Redis is transient. Note: If you just deployed a Redash V8 AMI and have not used it, you can skip this step.
2. cd /opt/redash
3. Update opt/redash/docker-compose.yml to reference the docker image you want to upgrade to: redash/redash:10.0.0.b50363

4. Under services.scheduler.environment omit QUEUES and WORKERS_COUNT and omit environment altogether if it is empty.

5. Under services, add a new service for general RQ jobs:

worker:
  <<: *redash-service
  command: worker
  environment:
    QUEUES: "periodic emails default"
    WORKERS_COUNT: 1

6. Stop Redash services: docker-compose stop server scheduler scheduled_worker adhoc_worker (you might need to list additional services if you defined them in your docker-compose.yml previously)
7. Force a recreation of your containers with docker-compose up --force-recreate --build
8. Run the necessary migrations with docker-compose run --rm server manage db upgrade
9. Restart the containers docker-compose up -d

Dashboard URL Changes

Dashboard URLs now include the dashboard id and slug.

For example, given a dashboard with the slug account-overview and an id of 251:

Before https://redash.app/dashboards/account-overview

After https://redash.app/dashboards/251-account-overview

The dashboard can also be reached using the new /dashboard (notice this is singular) endpoint. It accepts either an ID or a slug:

• https://redash.app/dashboard/251
• https://redash.app/dashboard/account-overview

Either of these will redirect to the After link above. Dashboard ID's are guaranteed to be unique. But dashboards can share the same slug. If a user visits /dashboard/<some slug> and more than one dashboard exists with that slug, they will be redirected to the earliest created dashboard with that slug.

---

• Before doing an upgrade, please make sure you have a backup.
• If you have any issues, please refer to the troubleshooting section in the upgrade guide.
• If the upgrade guide doesn't help, you can ask for help on the forum.

Docker Tag: redash/redash:10.0.0-beta.b49597

See CHANGELOG for the full release notes.

Special instructions for upgrading from V8 or earlier

Typically, if you are running your own instance of Redash and wish to upgrade, you would simply modify the Docker tag in your docker-compose.yml file. Since RQ has replaced Celery in this version, there are a couple extra modifications that need to be done in your docker-compose.yml:

1. Under services/scheduler/environment, omit QUEUES and WORKERS_COUNT (and omit environment altogether if it is empty).
2. Under services, add a new service for general RQ jobs:

worker:
  <<: *redash-service
  command: worker
  environment:
    QUEUES: "periodic emails default"
    WORKERS_COUNT: 1

Following that, force a recreation of your containers with docker-compose up --force-recreate --build and you should be good to go.

---

• Before doing an upgrade, please make sure you have a backup.
• If you have any issues, please refer to the troubleshooting section in the upgrade guide.
• If the upgrade guide doesn't help, you can ask for help on the forum.

Docker Tag: redash/redash:9.0.0-beta.b42121.

See CHANGELOG for the full release notes.

Upgrading

Typically, if you are running your own instance of Redash and wish to upgrade, you would simply modify the Docker tag in your docker-compose.yml file. Since RQ has replaced Celery in this version, there are a couple extra modifications that need to be done in your docker-compose.yml:

1. Under services/scheduler/environment, omit QUEUES and WORKERS_COUNT (and omit environment altogether if it is empty).
2. Under services, add a new service for general RQ jobs:

worker:
  <<: *redash-service
  command: worker
  environment:
    QUEUES: "periodic emails default"
    WORKERS_COUNT: 1

Following that, force a recreation of your containers with docker-compose up --force-recreate --build and you should be good to go.

---

• Before doing an upgrade, please make sure you have a backup.
• If you have any issues, please refer to the troubleshooting section in the upgrade guide.
• If the upgrade guide doesn't help, you can ask for help on the forum.

Docker Tag: redash/redash:8.0.0.b32245.

See CHANGELOG for the full release notes.

---

• Before doing an upgrade, please make sure you have a backup.
• If you have any issues, please refer to the troubleshooting section in the upgrade guide.
• If the upgrade guide doesn't help, you can ask for help on the forum.

Docker Tag: redash/redash:8.0.0-beta.2.b29352.

See CHANGELOG for the full release notes.

---

• Before doing an upgrade, please make sure you have a backup.
• If you have any issues, please refer to the troubleshooting section in the upgrade guide.
• If the upgrade guide doesn't help, you can ask for help on the forum.

Please read the following before upgrading:

1. If you're using the tarball deployment and not Docker, you might need to manually update some of the dependencies. Compare your current Python dependencies with the ones in the requirements*.txt files.

2. This release adds encryption of your data sources configuration. By default it will use the REDASH_COOKIE_SECRET as encryption key. But we recommend setting a new key for it using the REDASH_SECRET_KEY environment variable. Note that you need to set this before running migrations. Otherwise everything will be encrypted with REDSAH_COOKIE_SECRET.

See CHANGELOG for the full release notes.

---

• Before doing an upgrade, please make sure you have a backup.
• If you have any issues, please refer to the troubleshooting section in the upgrade guide.
• If the upgrade guide doesn't help, you can ask for help on the forum.

Before upgrading to v6.0.0 make sure to clear out the Celery queue (unless upgrade from v6.0.0-beta).

This is the final release of v6.0.0. See v6.0.0-beta for details of what's new in v6.0.0. This release includes only fixes from regressions introduces in the beta version.

This release had contributions from 5 people: @rauchy, @denisov-vlad, @arikfr, @ariarijp, and @gabrieldutra. Thank you, everyone 🙏

---

• Before doing an upgrade, please make sure you have a backup.
• If you have any issues, please refer to the troubleshooting section in the upgrade guide.
• If the upgrade guide doesn't help, you can ask for help on the forum.

Redash v6 beta is now available! 🙌 This release was 2 months in the making and it is full with good stuff!

• We have 5 new data sources: Databricks, IBM DB2, Kylin, Druid and Rockset. ⌗
• There are fixes and improvements to 11 existing data sources (MySQL, Redshift, Postgres, MongoDB, Google BigQuery, Vertica, TreasureData, Presto, ClickHouse, Google Sheets and Google Analytics).
• The Query Results data source can now load cached results, just use the cached_query_ prefix instead of query_.
• On the visualizations front we added a Heatmap visualization and did updated the table and counter visualizations.
• Alerts got some fixes and a new destination: PagerDuty.
• If the live autocomplete in the code editor annoys you, you can disable it now (although we're working to make it better, see #3092).
• Fast queries will now load faster. :running_man:
• We improved the layout of visualizations and content on smaller screen sizes. 📱
• For those of you who like sharing, you can now enable the ability to share ownership of queries and dashboards and let others to edit them. Check the Settings page to enable this feature.

There were also important changes to the code and infrastructure:

• More components moved to React.
• We switched to Webpack 4 with the help of @dmonego.
• We upgraded to Celery 4 with the help of @emtwo, @jezdez, @mashrikt and @atharvai.
• We started moving towards Python 3 for our backend. The first step was to make sure our code pass basic sanity tests with Flake 8, which was implemented by @cclauss.
• We improved our testing on the frontend by adding setup for Jest tests and E2E testing using Cypress (@gabrieldutra).
• Each pull request now gets a deploy preview using Netlify to easily test frontend changes.

This is just a summary, you're welcome to review the full CHANGELOG.

This release had contributions from 38 people: @arikfr, @kravets-levko, @jezdez, @kyoshidajp, @kocsmy, @alison985, @gabrieldutra, @washort, @GitSumito, @emtwo, @rauchy, @alexanderlz, @denisov-vlad, @ariarijp, @yoavbls, @zhujunsan, @sjakthol, @koooge, @SakuradaJun, @dmonego, @Udomomo, @cclauss, @combineads, @zaimy, @Trigl, @ralphilius, @jodevsa, @deecay, @igorcanadi, @pashaxp, @hoangphuoc25, @toph, @burnash, @wankdanker, @Yossi-a, @Rovel, @kadrach, and @nicof38. Thank you, everyone 🙏

---

• Before doing an upgrade, please make sure you have a backup.
• Because of the Celery upgrade, before upgrading to this version please make sure to clear out your Celery queues.
• If you have any issues, please refer to the troubleshooting section in the upgrade guide .
• If the upgrade guide doesn’t help, you can ask for help on the forum .

---

Happy querying :nerd_face:

v5.0.2:

• Fix: prevent Open Redirect vulnerability.

---

• Before doing an upgrade, please make sure you have a backup.
• If you have any issues, please refer to the troubleshooting section in the upgrade guide.
• If the upgrade guide doesn't help, you can ask for help on the forum.