[Security] Bump redis from 4.4.2 to 4.5.4

Bumps redis from 4.4.2 to 4.5.4. This update includes security fixes.

Vulnerabilities fixed

redis-py Race Condition due to incomplete fix redis-py through 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.

Patched versions: 4.4.4 Affected versions: <= 4.5.3; < 4.4.4

redis-py Race Condition vulnerability redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but are believed to be incomplete. CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.

Patched versions: 4.4.3 Affected versions: >= 4.4.0, < 4.4.3

Release notes

Sourced from redis's releases.

4.5.4

Changes

Upgrade urgency: SECURITY, contains fixes to security issues.

• (CVE-2023-28859) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.
• (CVE-2023-28858) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.

🐛 Bug Fixes

• Fixing cancelled async futures (#2666)
• Fix: do not use asyncio's timeout lib before 3.11.2 (#2659)
• Fix UDS in v4.5.2: UnixDomainSocketConnection missing constructor argument (#2630)

🧰 Maintenance

• Minor fixes for #2666 and enhanced async test (#2673)
• Fix issue 2660: PytestUnraisableExceptionWarning from asycio client (#2669)
• Removing accidentally checked in files (#2642)

Contributors

We'd like to thank all the contributors who worked on this release!

@​bellini666, @​chayim, @​dvora-h, @​shacharPash and @​woutdenolf

4.5.3

Changes

Update urgency: HIGH: There is a critical bug that may affect a subset of users. Upgrade!

🐛 Bug Fixes

• CWE-404 AsyncIO Race Condition Fix (#2624, #2579)

4.5.2

Changes

🚀 New Features

• Introduce AbstractConnection so that UnixDomainSocketConnection can call super().init (#2588)
• Added queue_class to REDIS_ALLOWED_KEYS (#2577)
• Made search document subscriptable (#2615)
• Sped up the protocol parsing (#2596)

🐛 Bug Fixes

• Fix behaviour of async PythonParser to match RedisParser as for issue #2349 (#2582)
• Replace async_timeout by asyncio.timeout (#2602)
• Update json().arrindex() default values (#2611)

... (truncated)

Commits

• e1017fd Version 4.5.4 (#2674)
• ef3f086 Fix async (#2673)
• 5acbde3 Fixing cancelled async futures (#2666)
• 6d886d7 Fix issue 2660: PytestUnraisableExceptionWarning from asycio client (#2669)
• 326bb1c removing useless files (#2642)
• 4856813 UnixDomainSocketConnection missing constructor argument (#2630)
• 4802530 fix: do not use asyncio's timeout lib before 3.11.2 (#2659)
• 66a4d6b AsyncIO Race Condition Fix (#2641)
• 318b114 Version 4.5.2 (#2627)
• 1b2f408 Fix behaviour of async PythonParser to match RedisParser as for issue #2349 (...
• Additional commits viewable in compare view