Update dependency redis to v4.4.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
redis (changelog)	==4.2.2 -> ==4.4.4

GitHub Vulnerability Alerts

CVE-2023-28859

redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.

CVE-2023-28858

redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but are believed to be incomplete. CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.

---

Release Notes

redis/redis-py (redis)

v4.4.4: 4.4.4

Compare Source

Changes

Upgrade urgency: SECURITY, contains fixes to security issues.

• (CVE-2023-28859) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.
• (CVE-2023-28858) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.

🐛 Bug Fixes

• Fixing cancelled async futures (#​2671 )

v4.4.3: 4.4.3

Compare Source

Changes

Update urgency: HIGH: There is a critical bug that may affect a subset of users. Upgrade!

🐛 Bug Fixes

• CWE-404 AsyncIO Race Condition Fix (#​2624, #​2579)

v4.4.2: 4.4.2

Compare Source

Changes

Note: this release include #​2548 and it is suggested that users upgrade immediately.

🧪 Experimental Features

• Add support for BF.CARD (#​2545)

🚀 New Features

• Add support for custom connection pool class in NodesManager (#​2547)

🐛 Bug Fixes

• Allow replica to master promotion in nodes_cache (#​2549)
• Security Fix: Updating graph parser for potential injection cases (#​2548)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Threated, @​dvora-h, @​shacharPash and @​zakaf

v4.4.1: 4.4.1

Compare Source

Changes

🚀 New Features

• Add dialect to FT.AGGREGATE (#​2537)
• Add support for resetchannels in ACL SETUSER (#​2514)
• Allow EVAL_RO and EVALSHA_RO to be routed to read replica (#​2494)
• Add timeout parameter for SentinelManagedConnection (#​2495)
• Add TIMEOUT to query class (#​2519)
• Add support for certain LATENCY commands (#​2503)

🐛 Bug Fixes

• Add type checking to __eq__ in graph classes (#​2531)
• Accept str for ex parameter in set command (#​2529)
• Fix for Unhandled exception related to self.host with unix socket (#​2520)
• Make PythonParser resumable (#​2510)

🧰 Maintenance

• Fix incorrect _disconnect_raise docstring (#​2534)
• Remove DeprecationWarning by replace get_event_loop with get_running_loop (#​2530)
• Fix AttributeError when trying to split library version (#​2539)
• Including startup instructions via redis-stack docker (#​2535)
• Fix JSON.ARRINDEX test (#​2527)
• Add OpenTelemetry example with Uptrace backend (#​2452)
• Switch docs to furo theme (#​2492)
• Combine auto-concatenated strings (#​2482)
• Updating graph tests to support new execution plan (#​2486)
• Raising NotImplementedError for certain CLUSTER and LATENCY commands (#​2504) (#​2501)

Contributors

We'd like to thank all the contributors who worked on this release!

@​DvirDukhan, @​SessionIssue, @​YiuRULE, @​chayim, @​dgilmanAIDENTIFIED, @​dvora-h, @​kristjanvalur, @​mohsinhaider, @​raz-mon, @​shacharPash, @​stitchWzc, @​uglide, @​vmihailenco, @​winmorre and @​zakaf

v4.4.0: Version 4.4.0

Compare Source

Changes

4.4.0rc4 release notes
4.4.0rc3 release notes
4.4.0rc2 release notes
4.4.0rc1 release notes

🚀 New Features (since 4.4.0rc4)

• Async clusters: Support creating locks inside async functions (#​2471)

🐛 Bug Fixes (since 4.4.0rc4)

• Async: added 'blocking' argument to call lock method (#​2454)
• Added a replacement for the default cluster node in the event of failure. (#​2463)
• Fixed geosearch: Wrong number of arguments for geosearch command (#​2464)

🧰 Maintenance (since 4.4.0rc4)

• Updating dev dependencies (#​2475)
• Removing deprecated LGTM (#​2473)
• Added an explicit index name in RediSearch example (#​2466)
• Adding connection step to bloom filter examples (#​2478)

Contributors (since 4.4.0rc4)

We'd like to thank all the contributors who worked on this release!

@​Sibuken, @​barshaul, @​chayim, @​dvora-h, @​nermiller, @​uglide and @​utkarshgupta137

v4.3.6: 4.3.6

Compare Source

Changes

Update urgency: HIGH: There is a critical bug that may affect a subset of users. Upgrade!

🐛 Bug Fixes

• CWE-404 AsyncIO Race Condition Fix (#​2624, #​2579)

v4.3.5: Version 4.3.5

Compare Source

Changes

This is a maintenance release of redis-py, prior to the release of 4.4.0. This release contains both bug fixes, and features, keeping pace with the release of redis-stack capabilities.

🚀 New Features

• Add support for TIMESERIES 1.8 (#​2296)
• Graph - add counters for removed labels and properties (#​2292)
• Add support for TDIGEST.QUANTILE extensions (#​2317)
• Add TDIGEST.TRIMMED_MEAN (#​2300)
• Add support for async GRAPH module (#​2273)
• Support TDIGEST.MERGESTORE and make compression optional on TDIGEST.CREATE (#​2319)
• Adding reserve as an alias for create, so that we have BF.RESERVE and CF.RESERVE accuratenly supported (#​2331)

🐛 Bug Fixes

• Fix async connection.is_connected to return a boolean value (#​2278)
• Fix: workaround asyncio bug on connection reset by peer (#​2259)
• Fix crash: key expire while search (#​2270)
• Async cluster: fix concurrent pipeline (#​2280)
• Fix async SEARCH pipeline (#​2316)
• Fix KeyError in async cluster - initialize before execute multi key commands (#​2439)

🧰 Maintenance

• Supply chain risk reduction: remove dependency on library named deprecated (#​2386)
• Search test - Ignore order of the items in the response (#​2322)
• Fix GRAPH.LIST & TDIGEST.QUANTILE tests (#​2335)
• Fix TimeSeries range aggregation (twa) tests (#​2358)
• Mark TOPK.COUNT as deprecated (#​2363)

Contributors

We'd like to thank all the contributors who worked on this release!

@​sileht, @​utkarshgupta137, @​dvora-h, @​akx, @​bodevone, @​chayim, @​DvirDukhan

v4.3.4: Version 4.3.4

Compare Source

Changes

🔥 Breaking Changes

• Fix backward compatibility from 4.3.2 in Lock.acquire() (#​2254)
• Fix XAUTOCLAIM to return the full response, instead of only keys 2+ (#​2252)

🚀 New Features

• Added dynamic_startup_nodes configuration to RedisCluster. (#​2244, #​2251)

🐛 Bug Fixes

• Fix retries in async mode (#​2180)
• Async cluster: fix simultaneous initialize (#​2231)
• Uppercased commands in CommandsParser.get_keys (#​2236)

🧰 Maintenance

• Late eval of the skip condition in async tests(#​2248, #​2253)
• Reuse the old nodes' connections when a cluster topology refresh is being done (#​2235)
• Docs: add pipeline examples (#​2240)
• Correct retention_msecs value (#​2232)
• Cluster: use pipeline to execute split commands (#​2230)
• Docs: Add a note about client_setname and client_name difference (#​2247)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Iglesys347, @​barshaul, @​dvora-h, @​earthgecko, @​elemoine, @​falk-h, @​kristjanvalur, @​psrok1 and @​utkarshgupta137

v4.3.3: Version 4.3.3

Compare Source

Changes

🐛 Bug Fixes

• Fix Lock crash, and versioning 4.3.3 (#​2210)

🧰 Maintenance

• Async cluster: improve docs (#​2208)

Contributors

We'd like to thank all the contributors who worked on this release!

@​dvora-h and @​utkarshgupta137

v4.3.2: Version 4.3.2

Compare Source

Changes

🚀 New Features

• SHUTDOWN - add support for the new NOW, FORCE and ABORT modifiers (#​2150)
• Adding pipeline support for async cluster (#​2199)
• Support CF.MEXISTS + Clean bf/commands.py (#​2184)
• Extending query_params for FT.PROFILE (#​2198)
• Implementing ClusterPipeline Lock (#​2190)

🐛 Bug Fixes

• Set default response_callbacks to redis.asyncio.cluster.ClusterNode (#​2201)
• Add default None for maxlen at xtrim command (#​2188)

🧰 Maintenance

• Async cluster: add/update typing (#​2195)
• Changed list type to single element type (#​2203)
• Made sync lock consistent and added types to it (#​2137)
• Async cluster: optimisations (#​2205)
• Fix typos in README (#​2206)
• Fix modules links to https://redis.io/commands/ (#​2185)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Avital-Fine, @​Olegt0rr, @​WisdomPill, @​dvora-h, @​grippy, @​mfgnik, @​rapidia, @​ryanrussell and @​utkarshgupta137

v4.3.1: Version 4.3.1

Compare Source

Changes

🐛 Bug Fixes

• Fix asyncio Search crash (#​2175)

Contributors

We'd like to thank all the contributors who worked on this release!

@​dvora-h

v4.3.0: Version 4.3.0

Compare Source

Changes

🔥 Breaking Changes

• Replace OSError exceptions from can_read with redis.ConnectionError (#​2140)
• Updated FUNCTION LOAD changes (from release 7.0 rc3 to support redis 7.0 final) (#​2139)

🚀 New Features

• Get command keys for subcommands (#​2170)
• Add support for CLUSTER SHARDS (#​2151)
• Add support for COMMAND LIST (#​2149)
• Add Async RedisCluster (#​2099)
• ACL SETUSER - add selectors and key based permissions (#​2161)
• Support for redis 7 streams features (#​2157)
• Async Connection: Allow PubSub.run() without previous subscribe() (#​2148)
• Implemented LATENCY HISTOGRAM by always throwing NotImplementedError (#​2147)
• Add async supoort for SEARCH commands (#​2096)
• Retry(): Support negative retries value (#​2110)
• Add support for MODULE LOADEX (#​2146)
• INFO - add support for taking multiple section arguments (#​2145)
• CONFIG SET - add the ability to set multiple parameters in one call (#​2143)
• CONFIG GET - add the ability to pass multiple pattern parameters in one call (#​2142)
• Add support for COMMAND GETKEYSANDFLAGS (#​2141)
• Support CASESENSITIVE for TAG fields (#​2112)

🐛 Bug Fixes

• Rename 'update_supported_erros' to 'update_supported_errors' in Retry module (#​2144)
• Fix execute_command() determining nodes error when no key command (#​2097)
• Fix incorrect return statement in auth (#​2086) (#​2092)

🧰 Maintenance

• Add unittest for PubSub.connect() (#​2167)
• Fix incorrect return annotation in asyncio.lock (#​2155)
• Minor cleanups in commands/cluster.py (#​2094)
• Update xtrim type annotation (#​2093)
• Async tests for redis commands, json, bloom, timeseries (#​2087)
• Fixed typing in getex command (#​2088)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Andrew-Chen-Wang, @​Ankhas, @​Avital-Fine, @​JelleZijlstra, @​chayim, @​dvora-h, @​enjoy-binbin, @​kamyabzad, @​kristjanvalur, @​richli, @​suxb201 and @​utkarshgupta137

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.