search

networktocode / diffsync

A utility library for comparing and synchronizing different datasets.
https://diffsync.readthedocs.io/
Other
155 stars 26 forks source link

fix(deps): update dependency redis to v4.5.4 [security] #277

Open renovate[bot] opened 3 months ago

renovate[bot] commented 3 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
redis (changelog) 4.5.1 -> 4.5.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-28858

redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but are believed to be incomplete. CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.

CVE-2023-28859

redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.

Release Notes

redis/redis-py (redis) ### [`v4.5.4`](https://redirect.github.com/redis/redis-py/releases/tag/v4.5.4): 4.5.4 [Compare Source](https://redirect.github.com/redis/redis-py/compare/v4.5.3...v4.5.4) ### Changes Upgrade urgency: SECURITY, contains fixes to security issues. - (CVE-2023-28859) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases. - (CVE-2023-28858) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases. #### 🐛 Bug Fixes - Fixing cancelled async futures ([#​2666](https://redirect.github.com/redis/redis-py/issues/2666)) - Fix: do not use asyncio's timeout lib before 3.11.2 ([#​2659](https://redirect.github.com/redis/redis-py/issues/2659)) - Fix UDS in v4.5.2: UnixDomainSocketConnection missing constructor argument ([#​2630](https://redirect.github.com/redis/redis-py/issues/2630)) #### 🧰 Maintenance - Minor fixes for [#​2666](https://redirect.github.com/redis/redis-py/issues/2666) and enhanced async test ([#​2673](https://redirect.github.com/redis/redis-py/issues/2673)) - Fix issue 2660: PytestUnraisableExceptionWarning from asycio client ([#​2669](https://redirect.github.com/redis/redis-py/issues/2669)) - Removing accidentally checked in files ([#​2642](https://redirect.github.com/redis/redis-py/issues/2642)) #### Contributors We'd like to thank all the contributors who worked on this release! [@​bellini666](https://redirect.github.com/bellini666), [@​chayim](https://redirect.github.com/chayim), [@​dvora-h](https://redirect.github.com/dvora-h), [@​shacharPash](https://redirect.github.com/shacharPash) and [@​woutdenolf](https://redirect.github.com/woutdenolf) ### [`v4.5.3`](https://redirect.github.com/redis/redis-py/releases/tag/v4.5.3): 4.5.3 [Compare Source](https://redirect.github.com/redis/redis-py/compare/v4.5.2...v4.5.3) ### Changes Update urgency: HIGH: There is a critical bug that may affect a subset of users. Upgrade! #### 🐛 Bug Fixes - [CWE-404](https://cwe.mitre.org/data/definitions/404.html) AsyncIO Race Condition Fix ([#​2624](https://redirect.github.com/redis/redis-py/issues/2624), [#​2579](https://redirect.github.com/redis/redis-py/issues/2579)) ### [`v4.5.2`](https://redirect.github.com/redis/redis-py/releases/tag/v4.5.2): 4.5.2 [Compare Source](https://redirect.github.com/redis/redis-py/compare/v4.5.1...v4.5.2) ### Changes #### 🚀 New Features - Introduce AbstractConnection so that UnixDomainSocketConnection can call super().**init** ([#​2588](https://redirect.github.com/redis/redis-py/issues/2588)) - Added queue_class to REDIS_ALLOWED_KEYS ([#​2577](https://redirect.github.com/redis/redis-py/issues/2577)) - Made search document subscriptable ([#​2615](https://redirect.github.com/redis/redis-py/issues/2615)) - Sped up the protocol parsing ([#​2596](https://redirect.github.com/redis/redis-py/issues/2596)) #### 🐛 Bug Fixes - Fix behaviour of async PythonParser to match RedisParser as for issue [#​2349](https://redirect.github.com/redis/redis-py/issues/2349) ([#​2582](https://redirect.github.com/redis/redis-py/issues/2582)) - Replace async_timeout by asyncio.timeout ([#​2602](https://redirect.github.com/redis/redis-py/issues/2602)) - Update json().arrindex() default values ([#​2611](https://redirect.github.com/redis/redis-py/issues/2611)) #### 🧰 Maintenance - Coverage for pypy-3.9 ([#​2608](https://redirect.github.com/redis/redis-py/issues/2608)) - Developer Experience: Adding redis version compatibility details to the README ([#​2621](https://redirect.github.com/redis/redis-py/issues/2621)) - Remove redundant assignment to RedisCluster.nodes_manager. ([#​2620](https://redirect.github.com/redis/redis-py/issues/2620)) - Developer Experience: \[types] update return type of smismember to list\[int] ([#​2617](https://redirect.github.com/redis/redis-py/issues/2617)) - Developer Experience: \[docs] ConnectionPool SSL example ([#​2605](https://redirect.github.com/redis/redis-py/issues/2605)) - Developer Experience: Fixed CredentialsProvider examples ([#​2587](https://redirect.github.com/redis/redis-py/issues/2587)) - Developer Experience: Update README to make pip install copy-pastable on zsh ([#​2584](https://redirect.github.com/redis/redis-py/issues/2584)) - Developer Experience: Fix for `lpop` and `rpop` return typing ([#​2590](https://redirect.github.com/redis/redis-py/issues/2590)) #### Contributors We'd like to thank all the contributors who worked on this release! [@​CrimsonGlory](https://redirect.github.com/CrimsonGlory), [@​Galtozzy](https://redirect.github.com/Galtozzy), [@​aksinha334](https://redirect.github.com/aksinha334), [@​barshaul](https://redirect.github.com/barshaul), [@​chayim](https://redirect.github.com/chayim), [@​davemcphee](https://redirect.github.com/davemcphee), [@​dvora-h](https://redirect.github.com/dvora-h), [@​kristjanvalur](https://redirect.github.com/kristjanvalur), [@​ryin1](https://redirect.github.com/ryin1), [@​sileht](https://redirect.github.com/sileht), [@​thebarbershop](https://redirect.github.com/thebarbershop), [@​uglide](https://redirect.github.com/uglide), [@​woutdenolf](https://redirect.github.com/woutdenolf) and [@​zakaf](https://redirect.github.com/zakaf)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.