The Redis Team reports:
+++ ++
+- CVE-2021-41099
+- + Integer to heap buffer overflow handling certain string commands + and network payloads, when proto-max-bulk-len is manually configured. +
+- CVE-2021-32762
+- + Integer to heap buffer overflow issue in redis-cli and redis-sentinel + parsing large multi-bulk replies on some older and less common platforms. +
+- CVE-2021-32687
+- + Integer to heap buffer overflow with intsets, when set-max-intset-entries + is manually configured to a non-default, very large value. +
+- CVE-2021-32675
+- + Denial Of Service when processing RESP request payloads with a large + number of elements on many connections. +
+- CVE-2021-32672
+- + Random heap reading issue with Lua Debugger. +
+- CVE-2021-32628
+- + Integer to heap buffer overflow handling ziplist-encoded data types, + when configuring a large, non-default value for hash-max-ziplist-entries, + hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value. +
+- CVE-2021-32627
+- + Integer to heap buffer overflow issue with streams, when configuring + a non-default, large value for proto-max-bulk-len and + client-query-buffer-limit. +
+- CVE-2021-32626
+- + Specially crafted Lua scripts may result with Heap buffer overflow. +
+