Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process.
• (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time.

Bug Fixes

• Fix a crash when reaching the maximum invalidations limit of client-side tracking (#11814)
• Fix cluster inbound link keepalive time (#11785)
• Make sure that fork child doesn't do incremental rehashing (#11692)

Performance and resource utilization improvements

• Avoid realloc to reduce size of strings when it is unneeded (#11766)

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process.
• (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time.

Bug Fixes

• Make sure that fork child doesn't do incremental rehashing (#11692)
• Fix cluster inbound link keepalive time (#11785)

Upgrade urgency: MODERATE, a quick followup fix for a recently released 6.2.9.

Bug Fixes

• Revert the change to KEYS in the recent client output buffer limit fix (#11676)

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic

Bug Fixes

• Avoid hang when client issues long SRANDMEMBER command and gets disconnected by client output buffer limit (#11676)
• Lua: fix crash on a script call with many arguments, a regression in v6.0.16 (#9809)
• Lua: Add checks for min-slave-* configs when evaluating Lua scripts (#10160)
• Fix BITFIELD overflow detection on some compilers due to undefined behavior (#9601)

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic
• (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service

Bug Fixes

• Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD, and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#11676)
• Fix sentinel issue if replica changes IP (#11590)

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic
• (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service

Bug Fixes

• Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD, and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#11676)
• Make sure that fork child doesn't do incremental rehashing (#11692)
• Fix a bug where blocking commands with a sub-second timeout would block forever (#11688)
• Fix sentinel issue if replica changes IP (#11590)

Upgrade urgency: MODERATE, Contains fix for a regression in Geo commands.

Bug Fixes

• Fix regression from Redis 7.0.6 in distance replies of Geo commands (#11631)

Upgrade urgency: MODERATE, Contains fixes for a few non-critical or unlikely bugs, and some dramatic optimizations to Geo, EVAL, and Sorted sets commands.

Potentially Breaking Bug Fixes for new Redis 7.0 features

• RM_ResetDataset module API should not clear the functions (#11268)
• RM_Call module API used with the "C" flag to run scripts, would now cause the commands in the script to check ACL with the designated user (#10966)

Performance and resource utilization improvements

• Geo commands speedups (#11535, #11522, #11552, #11579)
• Fix EVAL command performance regression from Redis 7.0 (#11521, #11541)
• Reduce EXPIRE commands performance regression from Redis 7.0 (#11602)
• Optimize commands returning double values, mainly affecting zset commands (#11093)
• Optimize Lua parsing of some command responses (#11556)
• Optimize client memory usage tracking operation while client eviction is disabled (#11348)

Platform / toolchain support related improvements

• Fix compilation on Solaris (#11327)

Module API changes

• RM_SetContextUser, RM_SetModuleUserACLString, RM_GetModuleUserACLString (#10966)
• Fix crash in CLIENT_CHANGE event, when the selected database is not 0 (#11500)

Changes in CLI tools

• redis-benchmark avoid aborting on NOPERM from CONFIG GET (#11096)

Bug Fixes

• Avoid hang of diskless replication fork child when parent crashes (#11463)
• Fix crash with module API of list iterator and RM_ListDelete (#11383)
• Fix TLS error handling to avoid connection drops on timeouts (#11563)
• Fix runtime changes to cluster-announce-*-port to take effect on the local node too (#10745)
• Fix sentinel function that compares hostnames if failed resolve (#11419)
• Fix MIGRATE with AUTH set to "keys" is getting wrong key names leading to MOVED or ACL errors (#11253)

Fixes for issues in previous releases of Redis 7.0

• Fix command line startup --sentinel problem (#11591)
• Fis missing FCALL commands in monitor (#11510)
• Fix CLUSTER SHARDS showing empty hostname (#11297)
• Replica that asks for rdb-only could have missed the EOF and hang (#11296)

Upgrade urgency: MODERATE, Contains fixes for a few non-critical or unlikely bugs

Performance and resource utilization improvements

• Optimize zset conversion on large ZRANGESTORE (#10789)

Module API changes

• Fix crash in CLIENT_CHANGE event, when the selected database is not 0 (#11500)
• Fix RM_SetAbsExpire and RM_GetAbsExpire API registration (#11025, #8564)

Security improvements

• Sentinel: avoid logging auth-pass value (#9652)

Bug Fixes

• Fix a crash when a Lua script returns a meta-table (#11032)
• Fix ZRANGESTORE crash when zset_max_listpack_entries is 0 (#10767)
• Unpause clients after manual failover ends instead of waiting for timed (#9676)
• TLS: Notify clients on connection shutdown (#10931)
• Avoid hang of diskless replication fork child when parent crashes (#11463)
• Fix sentinel function that compares hostnames if failed resolve (#11419)
• Fix a hang when eviction is combined with lazy-free and maxmemory-eviction-tenacity is set to 100 (#11237)
• Fix bug with scripts ignoring client tracking NOLOOP (#11052)
• Fix client-side tracking breaking protocol when FLUSHDB / FLUSHALL / SWAPDB is used inside MULTI-EXEC (#11038)
• Fix BITFIELD overflow detection on some compilers due to undefined behavior (#9601)

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

• (CVE-2022-35951) Executing a XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer [reported by Xion (SeungHyun Lee) of KAIST GoN].

Module API changes

• Fix RM_Call execution of scripts when used with M/W/S flags to properly handle script flags (#11159)
• Fix RM_SetAbsExpire and RM_GetAbsExpire API registration (#11025, #8564)

Bug Fixes

• Fix a hang when eviction is combined with lazy-free and maxmemory-eviction-tenacity is set to 100 (#11237)
• Fix a crash when a replica may attempt to set itself as its master as a result of a manual failover (#11263)
• Fix a bug where a cluster-enabled replica node may permanently set its master's hostname to '?' (#10696)
• Fix a crash when a Lua script returns a meta-table (#11032)

Fixes for issues in previous releases of Redis 7.0

• Fix redis-cli to do DNS lookup before sending CLUSTER MEET (#11151)
• Fix crash when a key is lazy expired during cluster key migration (#11176)
• Fix AOF rewrite to fsync the old AOF file when a new one is created (#11004)
• Fix some crashes involving a list containing entries larger than 1GB (#11242)
• Correctly handle scripts with a non-read-only shebang on a cluster replica (#11223)
• Fix memory leak when unloading a module (#11147)
• Fix bug with scripts ignoring client tracking NOLOOP (#11052)
• Fix client-side tracking breaking protocol when FLUSHDB / FLUSHALL / SWAPDB is used inside MULTI-EXEC (#11038)
• Fix ACL: BITFIELD with GET and also SET / INCRBY can be executed with read-only key permission (#11086)
• Fix missing sections for INFO ALL when also requesting a module info section (#11291)