My team is facing a corporate security compliance issue. There is one important system using Redis 3.2.12, however it is too old to get new approval from corporate security team. Their concern is does community continue support such old version for bug fixing and vulnerabilities patches?
Where can I get the confirmed message about this concern?
Thanks, Chris
Comment From: lafengnan
I get below information from https://redis.io/topics/releases. Does it mean Redis 3.2.x are not supported for vulnerabilities patching?
As a rule, older versions are not supported as we try very hard to make the Redis API mostly backward compatible. Upgrading to newer versions is the recommended approach and is usually trivial. The latest stable release is always fully supported and maintained. Two additional versions receive maintenance only, meaning that only fixes for critical bugs and major security issues are committed and released as patches: The previous minor version of the latest stable release. The previous stable major release. For example, consider the following hypothetical versions: 1.2, 2.0, 2.2, 3.0, 3.2, ... When version 2.2 is the latest stable release, both 2.0 and 1.2 are maintained. Once version 3.0.0 replaces 2.2 as the latest stable, versions 2.0 and 2.2 are maintained, whereas version 1.x reaches its end of life. This process repeats with version 3.2.0, after which only versions 2.2 and 3.0 are maintained. The above are guidelines rather than rules set in stone and will not replace common sense.
Comment From: enjoy-binbin
ref discussion: https://github.com/redis/redis/discussions/9730#discussioncomment-1579709
Yes, redis community no longer maintains it, and recommend that upgrade to the new version.
IIRC, the oldest still maintained version is currently 5.0
Comment From: oranagra
that's right. we no longer maintain version 3.2 (same for 4.0, and soon 5.0 too), you'll need to either upgrade, or try to backport the relevant commits yourself.
Comment From: lafengnan
Thanks for quick response.