---
Title: Redis Enterprise Software release notes 6.4.2-30 (February 2023)
alwaysopen: false
categories:
- docs
- operate
- rs
compatibleOSSVersion: Redis 6.2.7, 6.0.16
description: Pub/sub ACLs & default permissions. Validate client certificates by subject
  attributes.
linkTitle: 6.4.2-30 (February 2023)
weight: 72
---

​[​Redis Enterprise Software version 6.4.2](https://redis.io/downloads/#software) is now available!

This version offers:

- Extended validation of client certificates via mTLS (mutual TLS) full subject support

- Support for default restrictive permissions when using publish/subscribe commands and ACLs (access control lists)

- Enhanced TLS performance when Redis returns large arrays in responses

- Compatibility with [open source Redis 6.2.7](https://github.com/redis/redis)

- Additional enhancements and bug fixes

The following table shows the MD5 checksums for the available packages:

| Package | MD5 checksum (6.4.2-30 February release) |
|---------|---------------------------------------|
| Ubuntu 16 | b0dbecaa974ca08245dda55d53b6fe9b |
| Ubuntu 18 | a5192e8b0734db80d6b7c2b98a170c58 |
| RedHat Enterprise Linux (RHEL) 7<br/>Oracle Enterprise Linux (OL) 7 | c1537855dcfe7a7cedf9031ce01e2b9b |
| RedHat Enterprise Linux (RHEL) 8<br/>Oracle Enterprise Linux (OL) 8 <br/>Rocky Enterprise Linux | a24dc749d6dcb5df2162d7a41791c7aa |

## New features and enhancements

#### Validate client certificates by subject attributes

You can now validate client certificates by their `Subject` attributes. When a client attempts to connect to a database, Redis Enterprise Software compares the values of the client certificate subject attributes to the subject values allowed by the database. Clients can connect to the database only if the subject values match. This gives more flexibility in controlling which clients can access which databases.

See [Enable TLS]({{< relref "/operate/rs/security/encryption/tls/enable-tls" >}}) for more information.


#### Default pub/sub ACL permissions

Redis is continuously enhancing its ACL (access control list) functionality and coverage. Redis version 6.2 enhances [ACLs]({{<relref "/operate/oss_and_stack/management/security/acl">}}) to allow and disallow pub/sub channels. 

Part of protecting pub/sub channels requires changing the default access from permissive to restrictive, which blocks all pub/sub channels unless specifically permitted by an ACL rule. To allow this transition across all databases in the cluster, Redis Enterprise Software 6.4.2 provides a new configuration option `acl-pubsub-default` that sets the cluster-wide default for all channels to either permitted or restricted.

The 6.4.2 installation-provided value of `acl-pubsub-default` is permissive (`allchannels`) to comply with earlier Redis versions. After you upgrade all databases in the cluster to Redis DB version 6.2 (or later in future versions), you can use `rladmin` or the REST API to change the value to restrictive (`resetchannels`).

To allow certain users to access specific pub/sub channels, define the appropriate ACL. Redis Enterprise Software 6.4.2 enhances the admin console (UI), CLI, and REST API to support pub/sub channel ACL definitions.

If you use ACLs and pub/sub channels, we recommend you review your databases and ACL settings and plan to change your cluster to restricted mode. This will help you prepare for future Redis Enterprise Software releases that use restrictive `resetchannels` as the new default for `acl-pubsub-default`.

#### Redis modules 

Redis Enterprise Software v6.4.2 includes the following Redis modules:

- [RediSearch v2.4.16]({{< relref "operate/oss_and_stack/stack-with-enterprise/release-notes/redisearch/redisearch-2.4-release-notes#v2416-november-2022" >}})

- [RedisJSON v2.2.0]({{< relref "operate/oss_and_stack/stack-with-enterprise/release-notes/redisjson/redisjson-2.2-release-notes#v220-july-2022" >}})

- [RedisBloom v2.2.18]({{< relref "/operate/oss_and_stack/stack-with-enterprise/bloom" >}}release-notes/redisbloom-2.2-release-notes/#v2218-july-2022)

- [RedisGraph v2.8.20]({{< relref "operate/oss_and_stack/stack-with-enterprise/release-notes/redisgraph/redisgraph-2.8-release-notes#v2820-september-2022" >}})

- [RedisTimeSeries v1.6.17]({{< relref "operate/oss_and_stack/stack-with-enterprise/release-notes/redistimeseries/redistimeseries-1.6-release-notes#v1617-july-2022" >}})

See [Upgrade modules]({{< relref "/operate/oss_and_stack/stack-with-enterprise/install/upgrade-module" >}}) to learn how to upgrade a module for a database. 

#### Installations, upgrades, and troubleshooting

- Added the ability for `install.sh` to run even if "upgrade mode" is already enabled to allow reruns in case of a previous run failure (RS77319)

- Added log messages to the `redis_mgr` process (RS77891), the job_scheduler process (RS82673), and the `install.sh` script (RS82673)

- Improved `rladmin` error messages for certificate validation (RS79933)

- Added internode encryption ports to command-line utility `rlcheck` validation (RS68965)

- Added an alert to notify when a node operation (such as maintenance mode) failed, aborted, or was canceled. The alert is enabled by default (RS76089)

## Version changes 

### Breaking changes

- REST API: the `authorized_names` field of the [BDB object]({{< relref "/operate/rs/references/rest-api/objects/bdb" >}}) is deprecated. Use the new `authorized_subjects` field instead.

### New default Redis DB version

Both Redis Enterprise Software versions 6.2.x and 6.4.x package two Redis DB versions: Redis DB 6.0 and Redis DB 6.2. Until now, the default Redis DB version for creating new databases and upgrading existing databases was 6.0 (enforced by the `redis_upgrade_policy` parameter).

To allow customers more flexibility in future upgrades, starting with Redis Enterprise Software 6.4.2, the default Redis DB version for new and upgraded databases is now 6.2 for all upgrade policies (`redis_upgrade_policy=major` and `redis_upgrade_policy=latest`). 

| Redis<br />Enterprise | Bundled Redis<br />DB versions | Default DB version<br />(upgraded/new databases) |
|-------|----------|-----|
| 6.2.x | 6.0, 6.2 | 6.0 |
| 6.4.2 | 6.0, 6.2 | 6.2 |

You can override the default version with [`rladmin`]({{< relref "/operate/rs/references/cli-utilities/rladmin/tune" >}}#tune-cluster); however, we recommend that you don't change this setting.

### Deprecations

#### Ubuntu 16.04

Ubuntu 16 support is considered deprecated and will be removed in a future release. Ubuntu 16.04 LTS (Xenial) has reached the end of its free initial five-year security maintenance period as of April 30, 2021.

#### Active-Active database persistence

The snapshot option for Active-Active database persistence is deprecated. We advise customers running Active-Active databases, configured with snapshot data persistence, to reconfigure their data persistence mode to use the AOF (Append Only File) option with the following command:

```sh
crdb-cli crdb update --crdb-guid <CRDB_GUID> \
    --default-db-config '{"data_persistence": "aof", "aof_policy":"appendfsync-every-sec"}'
```

#### TLS 1.0 and TLS 1.1

TLS 1.0 and TLS 1.1 connections are considered deprecated in favor of TLS 1.2 or later.
Please verify that all clients, apps, and connections support TLS 1.2. Support for the earlier protocols will be removed in a future release.
Certain operating systems, such as RHEL 8, have already removed support for the earlier protocols. Redis Enterprise Software cannot support connection protocols that are not supported by the underlying operating system.

#### 3DES encryption cipher

The 3DES encryption cipher is considered deprecated in favor of stronger ciphers like AES.
Please verify that all clients, apps, and connections support the AES cipher. Support for 3DES will be removed in a future release.
Certain operating systems, such as RHEL 8, have already removed support for 3DES. Redis Enterprise Software cannot support cipher suites that are not supported by the underlying operating system.

## Resolved issues

- RS72866 - Improved performance for client connections which use TLS

- RS78241 - Fixed shard placement to always respect rack-zone restrictions and avoid a state where a primary (master) and replica are on the same rack, even if temporarily

- RS78144 - Removed the dependency on system-wide `ldconfig` so non-interactive processes will use their own dynamic libraries without impacting external services

- RS78028 - Fixed race condition during rolling upgrade that might result in shards repeatedly restarting

- RS77964 - Fixed module deletion to remove the old directory with the module

- RS75259 - Fixed node to prevent using plain text communication instead of TLS after losing connectivity

- RS69616 - Fixed validation for internode communication ports

- RS83535 - Fixed `sentinel_service` to start on RHEL 8 with DISA STIG profile 

- RS87191 - Fixed a cross slot error when using Auto Tiering with Replica Of, in case a key on the source database swapped from RAM to flash and expired while it was also part of Lua script execution

## Known limitations

### Feature limitations

- RS101204 - High memory consumption caused by the `persistence_mgr` service when AOF persistence is configured for every second. Monitor RAM usage of the process. In case of high usage, the temporary workaround is to restart the service by running `supervisorctl restart persistence_mgr`. A permanent fix is to install or upgrade to the 6.4.2 June maintenance release.

### Upgrade limitations

Before you upgrade a cluster that hosts Active-Active databases with modules to v6.4.2-30, perform the following steps:

1. Use `crdb-cli` to verify that the modules (`modules`) and their versions (in `module_list`) are as they appear in the database configuration and in the default database configuration:

    ```sh
    crdb-cli crdb get --crdb-guid <crdb-guid>
    ```

1. From the admin console's **redis modules** tab, validate that these modules with their specific versions are loaded to the cluster.

1. If one or more of the modules/versions are missing or if you need help, [contact Redis support](https://redis.com/company/support/) before taking additional steps.

This limitation has been fixed and resolved as of [v6.4.2-43]({{< relref "/operate/rs/release-notes/rs-6-4-2-releases/rs-6-4-2-43" >}}).

### Operating system limitations

#### RHEL 7 and RHEL 8

If you have a custom installation with a non-default `$installdir` and use Active-Active or Auto Tiering features, failures might occur when you upgrade. This issue will be fixed in a future maintenance release. 

#### RHEL 8

Due to module binary differences between RHEL 7 and RHEL 8, you cannot upgrade RHEL 7 clusters to RHEL 8 when they host databases using modules. Instead, you need to create a new cluster on RHEL 8 and then migrate existing data from your RHEL 7 cluster. This does not apply to clusters that do not use modules.

## Security

#### Open source Redis security fixes compatibility

As part of Redis's commitment to security, Redis Enterprise Software implements the latest [security fixes](https://github.com/redis/redis/releases) available with [open source Redis](https://github.com/redis/redis). The following open source Redis [CVEs](https://github.com/redis/redis/security/advisories) do not affect Redis Enterprise:

- [CVE-2021-32625](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32625) — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis since Redis Enterprise does not implement LCS. Additional information about the open source Redis fix is on the [Redis GitHub page](https://github.com/redis/redis/releases) (Redis 6.2.4, Redis 6.0.14)

- [CVE-2021-32672](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32672) — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the LUA debugger is unsupported in Redis Enterprise. Additional information about the open source Redis fix is on the [Redis GitHub page](https://github.com/redis/redis/releases) (Redis 6.2.6, Redis 6.0.16)

- [CVE-2021-32675](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32675) — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the proxy in Redis Enterprise does not forward unauthenticated requests. Additional information about the open source Redis fix is on the [Redis GitHub page](https://github.com/redis/redis/releases) (Redis 6.2.6, Redis 6.0.16)

- [CVE-2021-32762](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32762) — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the memory allocator used in Redis Enterprise is not vulnerable. Additional information about the open source Redis fix is on the [Redis GitHub page](https://github.com/redis/redis/releases) (Redis 6.2.6, Redis 6.0.16)

- [CVE-2021-41099](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41099) — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the `proto-max-bulk-len CONFIG` is blocked in Redis Enterprise. Additional information about the open source Redis fix is on the [Redis GitHub page](https://github.com/redis/redis/releases) (Redis 6.2.6, Redis 6.0.16)

Redis Enterprise has already included the fixes for the relevant CVEs. Some CVEs announced for open source Redis do not affect Redis Enterprise due to different and additional functionality available in Redis Enterprise that is not available in open source Redis.