diffsync
diffsync copied to clipboard
networktocode
fix(deps): update dependency redis to v4.5.4 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| redis (changelog) | 4.5.1 -> 4.5.4 |
GitHub Vulnerability Alerts
CVE-2023-28858
redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but are believed to be incomplete. CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.
CVE-2023-28859
redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.
Release Notes
redis/redis-py (redis)
v4.5.4: 4.5.4
Changes
Upgrade urgency: SECURITY, contains fixes to security issues.
- (CVE-2023-28859) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.
- (CVE-2023-28858) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.
🐛 Bug Fixes
- Fixing cancelled async futures (#2666)
- Fix: do not use asyncio's timeout lib before 3.11.2 (#2659)
- Fix UDS in v4.5.2: UnixDomainSocketConnection missing constructor argument (#2630)
🧰 Maintenance
- Minor fixes for #2666 and enhanced async test (#2673)
- Fix issue 2660: PytestUnraisableExceptionWarning from asycio client (#2669)
- Removing accidentally checked in files (#2642)
Contributors
We'd like to thank all the contributors who worked on this release!
@bellini666, @chayim, @dvora-h, @shacharPash and @woutdenolf
v4.5.3: 4.5.3
Changes
Update urgency: HIGH: There is a critical bug that may affect a subset of users. Upgrade!
🐛 Bug Fixes
v4.5.2: 4.5.2
Changes
🚀 New Features
- Introduce AbstractConnection so that UnixDomainSocketConnection can call super().init (#2588)
- Added queue_class to REDIS_ALLOWED_KEYS (#2577)
- Made search document subscriptable (#2615)
- Sped up the protocol parsing (#2596)
🐛 Bug Fixes
- Fix behaviour of async PythonParser to match RedisParser as for issue #2349 (#2582)
- Replace async_timeout by asyncio.timeout (#2602)
- Update json().arrindex() default values (#2611)
🧰 Maintenance
- Coverage for pypy-3.9 (#2608)
- Developer Experience: Adding redis version compatibility details to the README (#2621)
- Remove redundant assignment to RedisCluster.nodes_manager. (#2620)
- Developer Experience: [types] update return type of smismember to list[int] (#2617)
- Developer Experience: [docs] ConnectionPool SSL example (#2605)
- Developer Experience: Fixed CredentialsProvider examples (#2587)
- Developer Experience: Update README to make pip install copy-pastable on zsh (#2584)
- Developer Experience: Fix for
lpopandrpopreturn typing (#2590)
Contributors
We'd like to thank all the contributors who worked on this release!
@CrimsonGlory, @Galtozzy, @aksinha334, @barshaul, @chayim, @davemcphee, @dvora-h, @kristjanvalur, @ryin1, @sileht, @thebarbershop, @uglide, @woutdenolf and @zakaf
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}