Upgrade urgency SECURITY: See security fixes below.

Security fixes

• (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution.

Bug fixes

• Fix crashes of cluster commands clusters with mixed versions of 7.0 and 7.2 (#12805, #12832)
• Fix slot ownership not being properly handled when deleting a slot from a node (#12564)
• Fix atomicity issues with the RedisModuleEvent_Key module API event (#12733)

Upgrade urgency SECURITY: See security fixes below.

Security fixes

• (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution.

Upgrade urgency: HIGH, Fixes critical bugs affecting most users.

Bug fixes

• Fix file descriptor leak preventing deleted files from freeing disk space on replicas (#12693)
• Fix a possible crash after cluster node removal (#12702)

Upgrade urgency SECURITY: See security fixes below.

Security fixes

• (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup.

Platform / toolchain support related changes

• Fix compilation error on MacOS 13 (#12611)

Bug fixes

• WAITAOF could timeout in the absence of write traffic in case a new AOF is created and an AOF rewrite can't immediately start (#12620)

Redis cluster

• Fix crash when running rebalance command in a mixed cluster of 7.0 and 7.2 nodes (#12604)
• Fix the return type of the slot number in cluster shards to integer, which makes it consistent with past behavior (#12561)
• Fix CLUSTER commands are called from modules or scripts to return TLS info appropriately (#12569)

Changes in CLI tools

• redis-cli, fix crash on reconnect when in SUBSCRIBE mode (#12571)

Module API changes

• Fix overflow calculation for next timer event (#12474)

Upgrade urgency SECURITY: See security fixes below.

Security fixes

• (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup.

Upgrade urgency SECURITY: See security fixes below.

Security fixes

• (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup.

Upgrade urgency SECURITY: See security fixes below.

Security Fixes

• (CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration.

Bug Fixes

• Fix crashes when joining a node to an existing 7.0 Redis Cluster (#12538)
• Correct request_policy and response_policy command tips on for some admin / configuration commands (#12545, #12530)

Upgrade urgency SECURITY: See security fixes below.

Security Fixes

• (CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and as a result may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration.

Bug Fixes

• Cluster: fix a race condition where a slot migration may revert on a subsequent failover or node joining (#12344)
• Ensure that the function load timeout is disabled during loading from RDB/AOF and on replicas. (#12451)
• Fix the assertion when script timeout occurs after it signaled a blocked client (#12459)

Upgrade urgency LOW: This is the first stable Release for Redis 7.2.

Bug Fixes

• redis-cli in cluster mode handles unknown-endpoint (#12273)
• Update request / response policy hints for a few commands (#12417)
• Ensure that the function load timeout is disabled during loading from RDB/AOF and on replicas. (#12451)
• Fix false success and a memory leak for ACL selector with bad parenthesis combination (#12452)
• Fix the assertion when script timeout occurs after it signaled a blocked client (#12459)

Fixes for issues in previous releases of Redis 7.2

• Update MONITOR client's memory correctly for INFO and client-eviction (#12420)
• The response of cluster nodes was unnecessarily adding an extra comma when no hostname was present. (#12411)

Upgrade urgency LOW: This is the third Release Candidate for Redis 7.2. Upgrade urgency SECURITY: If you're using a previous release candidate of 7.2.

Security Fixes:

• (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users.
• (CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules.

New Features

New administrative and introspection commands and command arguments

• Make SENTINEL CONFIG [SET|GET] variadic. (#10362)

Potentially Breaking / Behavior Changes

• Cluster SHARD IDs are no longer visible in the cluster nodes output, introduced in 7.2-RC1. (#10536, #12166)
• When calling PUBLISH with a RESP3 client that's also subscribed to the same channel, the order is changed and the reply is sent before the published message (#12326)

New configuration options

• Add a new loglevel "nothing" to disable logging (#12133)
• Add cluster-announce-human-nodename - a unique identifier for a node that is be used in logs for debugging (#9564)

Other General Improvements

• Allow CLUSTER SLOTS / SHARDS commands during loading (#12269)
• Support TLS service when "tls-cluster" is not enabled and persist both plain and TLS port in nodes.conf (#12233)
• Update SPOP and RESTORE commands to replicate unlink commands to replicas when the server is configured to use async server deletes (#12320)
• Try lazyfree the temporary zset in ZUNION / ZINTER / ZDIFF (#12229)

Performance and resource utilization improvements

• Optimize PSUBSCRIBE and PUNSUBSCRIBE from O(N*M) to O(N) (#12298)
• Optimize SCAN, SSCAN, HSCAN, ZSCAN commands (#12209)
• Set Jemalloc --disable-cache-oblivious to reduce memory overhead (#12315)
• Optimize ZINTERCARD to avoid create a temporary zset (#12229)
• Optimize HRANDFIELD and ZRANDMEMBER listpack encoded (#12205)
• Numerous other optimizations (#12155, #12082, #11626, #11944, #12316, #12250, #12177, #12185)

Changes in CLI tools

• redis-cli: Handle RESP3 double responses that contain a NaN (#12254)
• redis-cli: Support URIs with IPv6 (#11834)

Module API changes

• Align semantics of the new (v7.2 RC2) RM_ReplyWithErrorFormat with RM_ReplyWithError. This is a breaking change that affects the generated error code. (#12321)
• Forbid RM_AddPostNotificationJob on loading and on read-only replicas (#12304)
• Add ability for module command filter to know which client is being handled (#12219)

Bug Fixes

• Fix broken protocol when PUBLISH is used inside MULTI when the RESP3 publishing client is also subscribed for the channel (#12326)
• Fix WAIT to be effective after a blocked module command being unblocked (#12220)
• Re-enable downscale rehashing while there is a fork child (#12276)
• Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count> (#12276)
• Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)
• Cluster: fix a race condition where a slot migration may revert on a subsequent failover or node joining (#12344)

Fixes for issues in previous releases of Redis 7.2

• Fix XREADGROUP BLOCK with ">" from hanging (#12301)
• Fix assertion when a blocked command is rejected when re-processed. (#12247)
• Fix use after free on a blocking RM_Call. (#12342)