Redis users on Compose are being updated to Redis 2.8.21. Although it is a minor version update from 2.8.20 it includes a fix for a security issue that requires rapid attention. This morning, security researcher Ben Murphy gave details of a Lua sandbox escape that he had identified. Although there are many factors that mitigate the use of the escape, including using a strong password with your Redis deployment, the simple fact is that a vulnerability exists which could potentially be used as a step in a more complex attack.
Ben, to his credit, also released patches to the Lua sandbox for Redis 2.8.20 and 3.0.1 and Redis creator Salvatore Sanfilippo, aka Antirez, released new versions within hours, allowing Redis user to update as quickly as possible.
With that opportunity in mind, and for our own security and our customers, we decided to push the update to all our Compose Redis deployments. The update is limited to the Lua Sandbox fix and two other non-security fixes and should not create any compatibility issues.
If you have any questions about this update, contact support by email or through the Compose Dashboard support page.