Add release commits and release notes for 8.0.2 (#1508)

Release commit for 8.0.2 with security fixes and other assorted fixes.

---------

Signed-off-by: Binbin <[email protected]>
Signed-off-by: Roshan Khatri <[email protected]>
Signed-off-by: Nadav Levanoni <[email protected]>
Signed-off-by: Madelyn Olson <[email protected]>
Signed-off-by: Stefan Mueller <[email protected]>
Signed-off-by: vudiep411 <[email protected]>
Signed-off-by: Seungmin Lee <[email protected]>
Signed-off-by: Seungmin Lee <[email protected]>
Signed-off-by: hwware <[email protected]>
Signed-off-by: Uri Yagelnik <[email protected]>
Signed-off-by: Simon Baatz <[email protected]>
Signed-off-by: naglera <[email protected]>
Signed-off-by: Amit Nagler <[email protected]>
Signed-off-by: Ran Shidlansik <[email protected]>
Co-authored-by: Binbin <[email protected]>
Co-authored-by: Viktor Söderqvist <[email protected]>
Co-authored-by: Roshan Khatri <[email protected]>
Co-authored-by: Harkrishn Patro <[email protected]>
Co-authored-by: Nadav Levanoni <[email protected]>
Co-authored-by: Nadav Levanoni <[email protected]>
Co-authored-by: muelstefamzn <[email protected]>
Co-authored-by: Vu Diep <[email protected]>
Co-authored-by: Seungmin Lee <[email protected]>
Co-authored-by: Seungmin Lee <[email protected]>
Co-authored-by: Wen Hui <[email protected]>
Co-authored-by: uriyage <[email protected]>
Co-authored-by: gmbnomis <[email protected]>
Co-authored-by: Amit Nagler <[email protected]>
Co-authored-by: ranshid <[email protected]>
Co-authored-by: YaacovHazan <[email protected]>

.github/actions/generate-package-build-matrix/action.yml

@@ -24,11 +24,11 @@ runs:
 
     - name: Get targets
       run: |
-        x86_arch=$(jq -c '[.linux_targets[] | select(.arch=="x86_64")]' utils/releasetools/build-config.json)
+        x86_arch=$(jq -c '[.linux_targets[] | select(.arch=="x86_64")]' .github/actions/generate-package-build-matrix/build-config.json)
         x86_matrix=$(echo "{ \"distro\" : $x86_arch }" | jq -c .)
         echo "X86_MATRIX=$x86_matrix" >> $GITHUB_ENV
 
-        arm_arch=$(jq -c '[.linux_targets[] | select(.arch=="arm64")]' utils/releasetools/build-config.json)
+        arm_arch=$(jq -c '[.linux_targets[] | select(.arch=="arm64")]' .github/actions/generate-package-build-matrix/build-config.json)
         arm_matrix=$(echo "{ \"distro\" : $arm_arch }" | jq -c .)
         echo "ARM_MATRIX=$arm_matrix" >> $GITHUB_ENV
       shell: bash

.github/workflows/build-release-packages.yml

@@ -3,25 +3,32 @@ name: Build Release Packages
 on:
   release:
     types: [published]
-
+  push:
+    paths:
+      - '.github/workflows/build-release-packages.yml'
+      - '.github/workflows/call-build-linux-arm-packages.yml'
+      - '.github/workflows/call-build-linux-x86-packages.yml'
+      - '.github/actions/generate-package-build-matrix/build-config.json'
   workflow_dispatch:
     inputs:
       version:
         description: Version of Valkey to build
         required: true
 
 permissions:
+  id-token: write
   contents: read
 
 jobs:
   # This job provides the version metadata from the tag for the other jobs to use.
   release-build-get-meta:
     name: Get metadata to build
+    if: github.event_name == 'workflow_dispatch' || github.repository == 'valkey-io/valkey'
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.get_version.outputs.VERSION }}
+      is_test: ${{ steps.check-if-testing.outputs.IS_TEST }}
     steps:
-
       - run: |
           echo "Version: ${{ inputs.version || github.ref_name }}"
         shell: bash
@@ -32,8 +39,13 @@ jobs:
       - name: Get the version
         id: get_version
         run: |
-          VERSION="${INPUT_VERSION}"
+          if [[ "${{ github.event_name }}" == "push" ]]; then
+            VERSION=${{ github.ref_name }}
+          else
+            VERSION="${INPUT_VERSION}"
+          fi
           if [ -z "${VERSION}" ]; then
+            echo "Error: No version specified"
             exit 1
           fi
           echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
@@ -43,8 +55,21 @@ jobs:
           # only ever be a tag
           INPUT_VERSION: ${{ inputs.version || github.ref_name }}
 
+      - name: Check if we are testing
+        id: check-if-testing
+        run: |
+          if [[ "${{ github.event_name }}" == "push" ]]; then
+            echo "This is a test workflow -> We will upload to the Test S3 Bucket"
+            echo "IS_TEST=true" >> $GITHUB_OUTPUT
+          else
+            echo "This is a Release workflow -> We will upload to the Release S3 Bucket"
+            echo "IS_TEST=false" >> $GITHUB_OUTPUT
+          fi
+        shell: bash
+
   generate-build-matrix:
     name: Generating build matrix
+    if: github.event_name == 'workflow_dispatch' || github.repository == 'valkey-io/valkey'
     runs-on: ubuntu-latest
     outputs:
       x86_64-build-matrix: ${{ steps.set-matrix.outputs.x86_64-build-matrix }}
@@ -56,7 +81,7 @@ jobs:
       - uses: ./.github/actions/generate-package-build-matrix
         id: set-matrix
         with:
-          ref: ${{ inputs.version || github.ref_name }}
+          ref: ${{ needs.release-build-get-meta.outputs.version }}
 
   release-build-linux-x86-packages:
     needs:
@@ -67,11 +92,10 @@ jobs:
       version: ${{ needs.release-build-get-meta.outputs.version }}
       ref: ${{ inputs.version || github.ref_name }}
       build_matrix: ${{ needs.generate-build-matrix.outputs.x86_64-build-matrix }}
+      region: us-west-2
     secrets:
-      token: ${{ secrets.GITHUB_TOKEN }}
-      bucket: ${{ secrets.AWS_S3_BUCKET }}
-      access_key_id: ${{ secrets.AWS_S3_ACCESS_KEY_ID }}
-      secret_access_key: ${{ secrets.AWS_S3_ACCESS_KEY }}
+      bucket_name: ${{ needs.release-build-get-meta.outputs.is_test == 'true' && secrets.AWS_S3_TEST_BUCKET || secrets.AWS_S3_BUCKET }}
+      role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
 
   release-build-linux-arm-packages:
     needs:
@@ -82,8 +106,7 @@ jobs:
       version: ${{ needs.release-build-get-meta.outputs.version }}
       ref: ${{ inputs.version || github.ref_name }}
       build_matrix: ${{ needs.generate-build-matrix.outputs.arm64-build-matrix }}
+      region: us-west-2
     secrets:
-      token: ${{ secrets.GITHUB_TOKEN }}
-      bucket: ${{ secrets.AWS_S3_BUCKET }}
-      access_key_id: ${{ secrets.AWS_S3_ACCESS_KEY_ID }}
-      secret_access_key: ${{ secrets.AWS_S3_ACCESS_KEY }}
+      bucket_name: ${{ needs.release-build-get-meta.outputs.is_test == 'true' && secrets.AWS_S3_TEST_BUCKET || secrets.AWS_S3_BUCKET }}
+      role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}

.github/workflows/call-build-linux-arm-packages.yml

@@ -15,21 +15,20 @@ on:
         description: The build targets to produce as a JSON matrix.
         type: string
         required: true
+      region:
+        description: The AWS region to push packages into.
+        type: string
+        required: true
     secrets:
-      token:
-        description: The Github token or similar to authenticate with.
+      bucket_name:
+        description: The S3 bucket to push packages into.
+        required: true
+      role_to_assume:
+        description: The role to assume for the S3 bucket.
         required: true
-      bucket:
-        description: The name of the S3 bucket to push packages into.
-        required: false
-      access_key_id:
-        description: The S3 access key id for the bucket.
-        required: false
-      secret_access_key:
-        description: The S3 secret access key for the bucket.
-        required: false
 
 permissions:
+  id-token: write
   contents: read
 
 jobs:
@@ -46,6 +45,12 @@ jobs:
         with:
           ref: ${{ inputs.version }}
 
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ inputs.region }}
+          role-to-assume: ${{ secrets.role_to_assume }}
+
       - name: Make Valkey
         uses: uraimo/run-on-arch-action@v2
         with:
@@ -65,15 +70,5 @@ jobs:
           mkdir -p packages-files
           cp -rfv $TAR_FILE_NAME.tar* packages-files/
 
-      - name: Install AWS cli.
-        run: |
-          sudo apt-get install -y awscli
-
-      - name: Configure AWS credentials
-        run: |
-          aws configure set region us-west-2
-          aws configure set aws_access_key_id ${{ secrets.access_key_id }}
-          aws configure set aws_secret_access_key ${{ secrets.secret_access_key }}
-
       - name: Sync to S3
-        run: aws s3 sync packages-files s3://${{secrets.bucket}}/releases/
+        run: aws s3 sync packages-files s3://${{ secrets.bucket_name }}/releases/

.github/workflows/call-build-linux-x86-packages.yml

@@ -15,21 +15,20 @@ on:
         description: The build targets to produce as a JSON matrix.
         type: string
         required: true
+      region:
+        description: The AWS region to upload the packages to.
+        type: string
+        required: true
     secrets:
-      token:
-        description: The Github token or similar to authenticate with.
+      bucket_name:
+        description: The name of the S3 bucket to upload the packages to.
+        required: true
+      role_to_assume:
+        description: The role to assume for the S3 bucket.
         required: true
-      bucket:
-        description: The name of the S3 bucket to push packages into.
-        required: false
-      access_key_id:
-        description: The S3 access key id for the bucket.
-        required: false
-      secret_access_key:
-        description: The S3 secret access key for the bucket.
-        required: false
 
 permissions:
+  id-token: write
   contents: read
 
 jobs:
@@ -46,6 +45,12 @@ jobs:
         with:
           ref: ${{ inputs.version }}
 
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ inputs.region }}
+          role-to-assume: ${{ secrets.role_to_assume }}
+
       - name: Install dependencies
         run: sudo apt-get update && sudo apt-get install -y build-essential libssl-dev libsystemd-dev
 
@@ -63,15 +68,5 @@ jobs:
           mkdir -p packages-files
           cp -rfv $TAR_FILE_NAME.tar* packages-files/
 
-      - name: Install AWS cli.
-        run: |
-          sudo apt-get install -y awscli
-
-      - name: Configure AWS credentials
-        run: |
-          aws configure set region us-west-2
-          aws configure set aws_access_key_id ${{ secrets.access_key_id }}
-          aws configure set aws_secret_access_key ${{ secrets.secret_access_key }}
-
       - name: Sync to S3
-        run: aws s3 sync packages-files s3://${{secrets.bucket}}/releases/
+        run: aws s3 sync packages-files s3://${{ secrets.bucket_name }}/releases/

.github/workflows/daily.yml

@@ -89,7 +89,7 @@ jobs:
         (github.event_name == 'schedule' && github.repository == 'valkey-io/valkey') ||
         (github.event_name == 'pull_request' && (contains(github.event.pull_request.labels.*.name, 'run-extra-tests') || github.event.pull_request.base.ref != 'unstable'))) &&
       !contains(github.event.inputs.skipjobs, 'fortify')
-    container: ubuntu:lunar
+    container: ubuntu:plucky
     timeout-minutes: 14400
     steps:
       - name: prep

00-RELEASENOTES

@@ -9,6 +9,46 @@ CRITICAL: There is a critical bug affecting MOST USERS. Upgrade ASAP.
 SECURITY: There are security fixes in the release.
 --------------------------------------------------------------------------------
 
+================================================================================
+Valkey 8.0.2  -  Released Mon 6 Jan 2025
+================================================================================
+
+Upgrade urgency SECURITY: This release includes security fixes we recommend you
+apply as soon as possible.
+
+Bug fixes
+=========
+* Fix an uncommon crash when using TLS with dual channel replication. (#1173)
+* Make sure `repl_down_since` is correctly reset when dual channel replication
+  fails. (#1149)
+* Fix a performance regression where a replica does not properly initiaize
+  the database size when loading a snapshot during replication. (#1199)
+* Make sure the last accessed time is correctly updated when using the `TOUCH`
+  command with the `CLIENT NO-TOUCH` option.
+* Fix a bug where `total_net_repl_output_bytes` would report the wrong. (#1486)
+* Fix a bug where `used_memory_scripts` may report the wrong value. (#1255)
+* Fix a bug where server might crash when using active defrag when scripts
+  are evicted from the script cache. (#1310)
+* Fix a bug where extra memory would be used when storing strings in the
+  inline protocol. (#1213)
+* Fix a bug where the `SORT` command may throw a cross slot error. (#1182)
+* Fix a bug where the `RANDOMKEY` command may omit returning keys in cluster
+  mode. (#1155)
+* Send the correct error message when `FUNCTION KIlL` is used to kill an
+  ongoing script. (#1171)
+* Fix a potential memory corruption when databases are emptied, such as
+  through `FLUSHDB`, when during active defrag is running.
+
+Behavior changes
+================
+* Revert an unintended breaking change when sending an unsubuscribe command
+  when a client is not subscribed to any channels. (#1265)
+
+Security fixes
+==============
+* (CVE-2024-46981) Lua script commands may lead to remote code execution. (#1513)
+* (CVE-2024-51741) Denial-of-service due to malformed ACL selectors. (#1514)
+
 ================================================================================
 Valkey 8.0.1  -  Released Tue 1 Oct 2024
 ================================================================================

src/acl.c

@@ -1074,19 +1074,24 @@ int ACLSetSelector(aclSelector *selector, const char *op, size_t oplen) {
         int flags = 0;
         size_t offset = 1;
         if (op[0] == '%') {
+            int perm_ok = 1;
             for (; offset < oplen; offset++) {
                 if (toupper(op[offset]) == 'R' && !(flags & ACL_READ_PERMISSION)) {
                     flags |= ACL_READ_PERMISSION;
                 } else if (toupper(op[offset]) == 'W' && !(flags & ACL_WRITE_PERMISSION)) {
                     flags |= ACL_WRITE_PERMISSION;
-                } else if (op[offset] == '~' && flags) {
+                } else if (op[offset] == '~') {
                     offset++;
                     break;
                 } else {
-                    errno = EINVAL;
-                    return C_ERR;
+                    perm_ok = 0;
+                    break;
                 }
             }
+            if (!flags || !perm_ok) {
+                errno = EINVAL;
+                return C_ERR;
+            }
         } else {
             flags = ACL_ALL_PERMISSION;
         }
@@ -2760,7 +2765,6 @@ void aclCatWithFlags(client *c, dict *commands, uint64_t cflag, int *arraylen) {
 
     while ((de = dictNext(di)) != NULL) {
         struct serverCommand *cmd = dictGetVal(de);
-        if (cmd->flags & CMD_MODULE) continue;
         if (cmd->acl_categories & cflag) {
             addReplyBulkCBuffer(c, cmd->fullname, sdslen(cmd->fullname));
             (*arraylen)++;

src/cluster_legacy.c

@@ -6030,6 +6030,9 @@ void removeChannelsInSlot(unsigned int slot) {
 unsigned int delKeysInSlot(unsigned int hashslot) {
     if (!kvstoreDictSize(server.db->keys, hashslot)) return 0;
 
+    /* We may lose a slot during the pause. We need to track this
+     * state so that we don't assert in propagateNow(). */
+    server.server_del_keys_in_slot = 1;
     unsigned int j = 0;
 
     kvstoreDictIterator *kvs_di = NULL;
@@ -6054,6 +6057,8 @@ unsigned int delKeysInSlot(unsigned int hashslot) {
     }
     kvstoreReleaseDictIterator(kvs_di);
 
+    server.server_del_keys_in_slot = 0;
+    serverAssert(server.execution_nesting == 0);
     return j;
 }