[Security] Bump redis from 4.4.2 to 4.5.4
Bumps redis from 4.4.2 to 4.5.4. This update includes security fixes.
Vulnerabilities fixed
redis-py Race Condition due to incomplete fix redis-py through 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.
Patched versions: 4.4.4 Affected versions: <= 4.5.3; < 4.4.4
redis-py Race Condition vulnerability redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but are believed to be incomplete. CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.
Patched versions: 4.4.3 Affected versions: >= 4.4.0, < 4.4.3
Release notes
Sourced from redis's releases.
4.5.4
Changes
Upgrade urgency: SECURITY, contains fixes to security issues.
- (CVE-2023-28859) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.
- (CVE-2023-28858) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.
🐛 Bug Fixes
- Fixing cancelled async futures (#2666)
- Fix: do not use asyncio's timeout lib before 3.11.2 (#2659)
- Fix UDS in v4.5.2: UnixDomainSocketConnection missing constructor argument (#2630)
🧰 Maintenance
- Minor fixes for #2666 and enhanced async test (#2673)
- Fix issue 2660: PytestUnraisableExceptionWarning from asycio client (#2669)
- Removing accidentally checked in files (#2642)
Contributors
We'd like to thank all the contributors who worked on this release!
@bellini666
,@chayim
,@dvora-h
,@shacharPash
and@woutdenolf
4.5.3
Changes
Update urgency: HIGH: There is a critical bug that may affect a subset of users. Upgrade!
🐛 Bug Fixes4.5.2
Changes
🚀 New Features
- Introduce AbstractConnection so that UnixDomainSocketConnection can call super().init (#2588)
- Added queue_class to REDIS_ALLOWED_KEYS (#2577)
- Made search document subscriptable (#2615)
- Sped up the protocol parsing (#2596)
🐛 Bug Fixes
... (truncated)
Commits
-
e1017fd
Version 4.5.4 (#2674) -
ef3f086
Fix async (#2673) -
5acbde3
Fixing cancelled async futures (#2666) -
6d886d7
Fix issue 2660: PytestUnraisableExceptionWarning from asycio client (#2669) -
326bb1c
removing useless files (#2642) -
4856813
UnixDomainSocketConnection missing constructor argument (#2630) -
4802530
fix: do not use asyncio's timeout lib before 3.11.2 (#2659) -
66a4d6b
AsyncIO Race Condition Fix (#2641) -
318b114
Version 4.5.2 (#2627) -
1b2f408
Fix behaviour of async PythonParser to match RedisParser as for issue #2349 (... - Additional commits viewable in compare view