Update dependency redis to v4.4.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
redis (changelog)	^3.4.1 → ^4.0.0
redis (changelog)	==4.3.6 → ==4.4.4

---

redis-py Race Condition due to incomplete fix

CVE-2023-28859 / GHSA-8fww-64cx-x8p5

More information

Details

redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.

Severity

• CVSS Score: 7.1 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-28859
• https://github.com/redis/redis-py/issues/2665
• https://github.com/redis/redis-py/pull/2641
• https://github.com/redis/redis-py/pull/2666
• https://github.com/redis/redis-py/pull/2671
• https://github.com/redis/redis-py/releases/tag/v4.4.4
• https://github.com/redis/redis-py/releases/tag/v4.5.4
• https://github.com/pypa/advisory-database/tree/main/vulns/redis/PYSEC-2023-46.yaml
• https://github.com/redis/redis-py/pull/1899
• https://github.com/redis/redis-py/commit/66a4d6b2a493dd3a20cc299ab5fef3c14baad965
• https://github.com/redis/redis-py/commit/b3c89acd0ffe8303649ad8207bc911b1d6a033eb
• https://github.com/advisories/GHSA-8fww-64cx-x8p5

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

redis/redis-py (redis)

v4.4.4: 4.4.4

Compare Source

Changes

Upgrade urgency: SECURITY, contains fixes to security issues.

• (CVE-2023-28859) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.
• (CVE-2023-28858) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.

🐛 Bug Fixes

• Fixing cancelled async futures (#​2671 )

v4.4.3: 4.4.3

Compare Source

Changes

Update urgency: HIGH: There is a critical bug that may affect a subset of users. Upgrade!

🐛 Bug Fixes

• CWE-404 AsyncIO Race Condition Fix (#​2624, #​2579)

v4.4.2: 4.4.2

Compare Source

Changes

Note: this release include #​2548 and it is suggested that users upgrade immediately.

🧪 Experimental Features

• Add support for BF.CARD (#​2545)

🚀 New Features

• Add support for custom connection pool class in NodesManager (#​2547)

🐛 Bug Fixes

• Allow replica to master promotion in nodes_cache (#​2549)
• Security Fix: Updating graph parser for potential injection cases (#​2548)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Threated, @​dvora-h, @​shacharPash and @​zakaf

v4.4.1: 4.4.1

Compare Source

Changes

🚀 New Features

• Add dialect to FT.AGGREGATE (#​2537)
• Add support for resetchannels in ACL SETUSER (#​2514)
• Allow EVAL_RO and EVALSHA_RO to be routed to read replica (#​2494)
• Add timeout parameter for SentinelManagedConnection (#​2495)
• Add TIMEOUT to query class (#​2519)
• Add support for certain LATENCY commands (#​2503)

🐛 Bug Fixes

• Add type checking to __eq__ in graph classes (#​2531)
• Accept str for ex parameter in set command (#​2529)
• Fix for Unhandled exception related to self.host with unix socket (#​2520)
• Make PythonParser resumable (#​2510)

🧰 Maintenance

• Fix incorrect _disconnect_raise docstring (#​2534)
• Remove DeprecationWarning by replace get_event_loop with get_running_loop (#​2530)
• Fix AttributeError when trying to split library version (#​2539)
• Including startup instructions via redis-stack docker (#​2535)
• Fix JSON.ARRINDEX test (#​2527)
• Add OpenTelemetry example with Uptrace backend (#​2452)
• Switch docs to furo theme (#​2492)
• Combine auto-concatenated strings (#​2482)
• Updating graph tests to support new execution plan (#​2486)
• Raising NotImplementedError for certain CLUSTER and LATENCY commands (#​2504) (#​2501)

Contributors

We'd like to thank all the contributors who worked on this release!

@​DvirDukhan, @​SessionIssue, @​YiuRULE, @​chayim, @​dgilmanAIDENTIFIED, @​dvora-h, @​kristjanvalur, @​mohsinhaider, @​raz-mon, @​shacharPash, @​stitchWzc, @​uglide, @​vmihailenco, @​winmorre and @​zakaf

v4.4.0: Version 4.4.0

Compare Source

Changes

4.4.0rc4 release notes
4.4.0rc3 release notes
4.4.0rc2 release notes
4.4.0rc1 release notes

🚀 New Features (since 4.4.0rc4)

• Async clusters: Support creating locks inside async functions (#​2471)

🐛 Bug Fixes (since 4.4.0rc4)

• Async: added 'blocking' argument to call lock method (#​2454)
• Added a replacement for the default cluster node in the event of failure. (#​2463)
• Fixed geosearch: Wrong number of arguments for geosearch command (#​2464)

🧰 Maintenance (since 4.4.0rc4)

• Updating dev dependencies (#​2475)
• Removing deprecated LGTM (#​2473)
• Added an explicit index name in RediSearch example (#​2466)
• Adding connection step to bloom filter examples (#​2478)

Contributors (since 4.4.0rc4)

We'd like to thank all the contributors who worked on this release!

@​Sibuken, @​barshaul, @​chayim, @​dvora-h, @​nermiller, @​uglide and @​utkarshgupta137

v4.3.6: 4.3.6

Compare Source

Changes

Update urgency: HIGH: There is a critical bug that may affect a subset of users. Upgrade!

🐛 Bug Fixes

• CWE-404 AsyncIO Race Condition Fix (#​2624, #​2579)

v4.3.5: Version 4.3.5

Compare Source

Changes

This is a maintenance release of redis-py, prior to the release of 4.4.0. This release contains both bug fixes, and features, keeping pace with the release of redis-stack capabilities.

🚀 New Features

• Add support for TIMESERIES 1.8 (#​2296)
• Graph - add counters for removed labels and properties (#​2292)
• Add support for TDIGEST.QUANTILE extensions (#​2317)
• Add TDIGEST.TRIMMED_MEAN (#​2300)
• Add support for async GRAPH module (#​2273)
• Support TDIGEST.MERGESTORE and make compression optional on TDIGEST.CREATE (#​2319)
• Adding reserve as an alias for create, so that we have BF.RESERVE and CF.RESERVE accuratenly supported (#​2331)

🐛 Bug Fixes

• Fix async connection.is_connected to return a boolean value (#​2278)
• Fix: workaround asyncio bug on connection reset by peer (#​2259)
• Fix crash: key expire while search (#​2270)
• Async cluster: fix concurrent pipeline (#​2280)
• Fix async SEARCH pipeline (#​2316)
• Fix KeyError in async cluster - initialize before execute multi key commands (#​2439)

🧰 Maintenance

• Supply chain risk reduction: remove dependency on library named deprecated (#​2386)
• Search test - Ignore order of the items in the response (#​2322)
• Fix GRAPH.LIST & TDIGEST.QUANTILE tests (#​2335)
• Fix TimeSeries range aggregation (twa) tests (#​2358)
• Mark TOPK.COUNT as deprecated (#​2363)

Contributors

We'd like to thank all the contributors who worked on this release!

@​sileht, @​utkarshgupta137, @​dvora-h, @​akx, @​bodevone, @​chayim, @​DvirDukhan

v4.3.4: Version 4.3.4

Compare Source

Changes

🔥 Breaking Changes

• Fix backward compatibility from 4.3.2 in Lock.acquire() (#​2254)
• Fix XAUTOCLAIM to return the full response, instead of only keys 2+ (#​2252)

🚀 New Features

• Added dynamic_startup_nodes configuration to RedisCluster. (#​2244, #​2251)

🐛 Bug Fixes

• Fix retries in async mode (#​2180)
• Async cluster: fix simultaneous initialize (#​2231)
• Uppercased commands in CommandsParser.get_keys (#​2236)

🧰 Maintenance

• Late eval of the skip condition in async tests(#​2248, #​2253)
• Reuse the old nodes' connections when a cluster topology refresh is being done (#​2235)
• Docs: add pipeline examples (#​2240)
• Correct retention_msecs value (#​2232)
• Cluster: use pipeline to execute split commands (#​2230)
• Docs: Add a note about client_setname and client_name difference (#​2247)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Iglesys347, @​barshaul, @​dvora-h, @​earthgecko, @​elemoine, @​falk-h, @​kristjanvalur, @​psrok1 and @​utkarshgupta137

v4.3.3: Version 4.3.3

Compare Source

Changes

🐛 Bug Fixes

• Fix Lock crash, and versioning 4.3.3 (#​2210)

🧰 Maintenance

• Async cluster: improve docs (#​2208)

Contributors

We'd like to thank all the contributors who worked on this release!

@​dvora-h and @​utkarshgupta137

v4.3.2: Version 4.3.2

Compare Source

Changes

🚀 New Features

• SHUTDOWN - add support for the new NOW, FORCE and ABORT modifiers (#​2150)
• Adding pipeline support for async cluster (#​2199)
• Support CF.MEXISTS + Clean bf/commands.py (#​2184)
• Extending query_params for FT.PROFILE (#​2198)
• Implementing ClusterPipeline Lock (#​2190)

🐛 Bug Fixes

• Set default response_callbacks to redis.asyncio.cluster.ClusterNode (#​2201)
• Add default None for maxlen at xtrim command (#​2188)

🧰 Maintenance

• Async cluster: add/update typing (#​2195)
• Changed list type to single element type (#​2203)
• Made sync lock consistent and added types to it (#​2137)
• Async cluster: optimisations (#​2205)
• Fix typos in README (#​2206)
• Fix modules links to https://redis.io/commands/ (#​2185)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Avital-Fine, @​Olegt0rr, @​WisdomPill, @​dvora-h, @​grippy, @​mfgnik, @​rapidia, @​ryanrussell and @​utkarshgupta137

v4.3.1: Version 4.3.1

Compare Source

Changes

🐛 Bug Fixes

• Fix asyncio Search crash (#​2175)

Contributors

We'd like to thank all the contributors who worked on this release!

@​dvora-h

v4.3.0: Version 4.3.0

Compare Source

Changes

🔥 Breaking Changes

• Replace OSError exceptions from can_read with redis.ConnectionError (#​2140)
• Updated FUNCTION LOAD changes (from release 7.0 rc3 to support redis 7.0 final) (#​2139)

🚀 New Features

• Get command keys for subcommands (#​2170)
• Add support for CLUSTER SHARDS (#​2151)
• Add support for COMMAND LIST (#​2149)
• Add Async RedisCluster (#​2099)
• ACL SETUSER - add selectors and key based permissions (#​2161)
• Support for redis 7 streams features (#​2157)
• Async Connection: Allow PubSub.run() without previous subscribe() (#​2148)
• Implemented LATENCY HISTOGRAM by always throwing NotImplementedError (#​2147)
• Add async supoort for SEARCH commands (#​2096)
• Retry(): Support negative retries value (#​2110)
• Add support for MODULE LOADEX (#​2146)
• INFO - add support for taking multiple section arguments (#​2145)
• CONFIG SET - add the ability to set multiple parameters in one call (#​2143)
• CONFIG GET - add the ability to pass multiple pattern parameters in one call (#​2142)
• Add support for COMMAND GETKEYSANDFLAGS (#​2141)
• Support CASESENSITIVE for TAG fields (#​2112)

🐛 Bug Fixes

• Rename 'update_supported_erros' to 'update_supported_errors' in Retry module (#​2144)
• Fix execute_command() determining nodes error when no key command (#​2097)
• Fix incorrect return statement in auth (#​2086) (#​2092)

🧰 Maintenance

• Add unittest for PubSub.connect() (#​2167)
• Fix incorrect return annotation in asyncio.lock (#​2155)
• Minor cleanups in commands/cluster.py (#​2094)
• Update xtrim type annotation (#​2093)
• Async tests for redis commands, json, bloom, timeseries (#​2087)
• Fixed typing in getex command (#​2088)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Andrew-Chen-Wang, @​Ankhas, @​Avital-Fine, @​JelleZijlstra, @​chayim, @​dvora-h, @​enjoy-binbin, @​kamyabzad, @​kristjanvalur, @​richli, @​suxb201 and @​utkarshgupta137

v4.2.2: Version 4.2.2

Compare Source

Changes

🚀 New Features

• Extended "CLUSTER NODES" parser to support special slot entries (#​2080)
  • 🔥 NOTE: This change is potentially breaking depending on your use of specialized slot entries. Support for bytes was added
• Add support for BIT|BYTE option available in redis 7 (#​2068)

🐛 Bug Fixes

• Fix imports in for async (#​2079)
• Always clear reference to closed reader/writer (#​2077)
• Fix disable decode for dump command in async (#​2070)

🧰 Maintenance

• Cluster commands linkdocs (#​2069)
• Clarify bit type in setbit/getbit documentation (#​2078)
• Clean up test supoort enterprise environments (#​2082)
• Vector similarity search example (#​2083)
• Fix search query with params tests (#​2076)

Contributors

We'd like to thank all the contributors who worked on this release!

@​barshaul, @​beasteers, @​dsoprea, @​dvora-h, @​enjoy-binbin, @​nosammai and @​wwqgtxx

v4.2.1: Version 4.2.1

Compare Source

Changes

🚀 New Features

• Add support for CLUSTER MYID (#​2063)
• Add dialect support for RediSearch queries (#​2071)

🧰 Maintenance

• Fix black (#​2075)
• Make typing_extensions conditional to Python < 3.8 (#​2062)

Contributors

We'd like to thank all the contributors who worked on this release!

@​dvora-h, @​enjoy-binbin and @​mgorny

v4.2.0: Version 4.2.0

Compare Source

Changes

4.2.0-rc1 release notes
4.2.0-rc2 release notes
4.2.0-rc3 release notes

🚀 New Features

• Support for Vector Fields for Vector Similarity Search (#​2041)

🐛 Bug Fixes

• Fix cluster scan command cursors & scan_iter (#​2054)

🧰 Maintenance

• Remove verbose logging from cluster initializers (#​2055)
• Mark tests for redis-stack (#​2052)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Avital-Fine, @​dvora-h, @​joni- and @​utkarshgupta137

v4.1.4: Version 4.1.4

Compare Source

Changes

🚀 New Features

• Adding ExecutionPlan support for graph (#​1993)
• Vector similiary search support (#​1986)

v4.1.3: Version 4.1.3

Compare Source

🐛 Bug Fixes

• Fix flushdb and flushall (#​1926)

🧰 Maintenance

• Add redis5 and redis4 dockers (#​1871)
• Change json.clear test multi to be up to date with redisjson (#​1922)
• Fixing volume for unstable_cluster docker (#​1914)
• Update changes file with changes since 4.0.0-beta2 (#​1915)

Contributors

We'd like to thank all the contributors who worked on this release!

@​MeirShpilraien, @​dvora-h

v4.1.2: Version 4.1.2

Compare Source

Changes

🚀 New Features

• Invalid OCSP certificates should raise ConnectionError on failed validation (#​1907)
• Added retry mechanism on socket timeouts when connecting to the server (#​1895)

🐛 Bug Fixes

• LMOVE, BLMOVE return incorrect responses (#​1906)
• Fixing AttributeError in UnixDomainSocketConnection (#​1903)
• Fixing TypeError in GraphCommands.explain (#​1901)

🧰 Maintenance

• For tests, increasing wait time for the cluster (#​1908)
• Increased pubsub's wait_for_messages timeout to prevent flaky tests (#​1893)
• README code snippets formatted to highlight properly (#​1888)
• Fix link in the main page (#​1897)
• Documentation fixes: JSON Example, SSL Connection Examples, RTD version (#​1887)
• Direct link to readthedocs (#​1885)

Contributors

We'd like to thank all the contributors who worked on this release!

@​barshaul, @​chayim, @​dvora-h, @​soumendrak and @​varunchopra

v4.1.1: Version 4.1.1

Compare Source

Changes

🚀 New Features

• Add retries to connections in Sentinel Pools (#​1879)
• OCSP Stapling Support (#​1873)
• Define incr/decr as aliases of incrby/decrby (#​1874)
• FT.CREATE - support MAXTEXTFIELDS, TEMPORARY, NOHL, NOFREQS, SKIPINITIALSCAN (#​1847)

🐛 Bug Fixes

• Timeseries docs fix (#​1877)
• get_connection: catch OSError too (#​1832)
• Set keys var otherwise variable not created (#​1853)
• Clusters should optionally require full slot coverage (#​1845)

🧰 Maintenance

• Triple quote docstrings in client.py PEP 257 (#​1876)
• syncing requirements (#​1870)
• Typo and typing in GraphCommands documentation (#​1855)
• Allowing poetry and redis-py to install together (#​1854)
• setup.py: Add project_urls for PyPI (#​1867)
• Support test with redis unstable docker (#​1850)
• Connection examples (#​1835)
• Documentation cleanup (#​1841)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Andrew-Chen-Wang, @​AvitalFineRedis, @​Enchufa2, @​barshaul, @​chayim, @​dvora-h, @​jdieter, @​salty-horse, @​sbv-csis and @​tony

v4.1.0: Version 4.1.0

Compare Source

Changes

4.1.0-rc2 release notes
4.1.0-rc1 release notes

🚀 New Features

• OCSP stapling support (#​1820)
• Support for SELECT (#​1825)
• Support for specifying error types with retry (#​1817)
• Support for RESET command since Redis 6.2.0 (#​1824)
• Support CLIENT TRACKING (#​1612)
• Support WRITE in CLIENT PAUSE (#​1549)
• JSON set_file and set_path support (#​1818)
• Allow ssl_ca_path with rediss:// urls (#​1814)
• Support for password-encrypted SSL private keys (#​1782)
• Support SYNC and PSYNC (#​1741)

🐛 Bug Fixes

• Retry on error exception and timeout fixes (#​1821)
• Fixing read race condition during pubsub (#​1737)
• Fixing exception in listen (#​1823)
• Fixed MovedError, and stopped iterating through startup nodes when slots are fully covered (#​1819)
• Socket not closing after server disconnect (#​1797)
• Single sourcing the package version (#​1791)
• Ensure redis_connect_func is set on uds connection (#​1794)

🧰 Maintenance

• SRTALGO - Skip for redis versions greater than 7.0.0 (#​1831)
• Documentation updates (#​1822)
• Add CI action to install package from repository commit hash (#​1781) (#​1790)
• Fix link in lmove docstring (#​1793)
• Disabling JSON.DEBUG tests (#​1787)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Akuli, @​AvitalFineRedis, @​alisaifee, @​ashwani99, @​barshaul, @​chayim, @​dvora-h, @​pawl and @​yanivhershkovich

v4.0.2: Version 4.0.2

Compare Source

Changes

🐛 Bug Fixes

• Restoring Sentinel commands to redis client (#​1723)
• Better removal of hiredis warning (#​1726)

🧰 Maintenance

• Adding links to redis documents in function calls (#​1719)

Contributors

We'd like to thank all the contributors who worked on this release!

@​Carlosbogo, @​sculley and @​wuisawesome

v4.0.1: Version 4.0.1

Compare Source

🐛 Bug Fixes

• Removing command on initial connections (#​1722)
• Removing hiredis warning when not installed (#​1721)

Contributors

We'd like to thank all the contributors who worked on this release!

@​chayim

v4.0.0: Version 4.0.0

Compare Source

Changes Since 3.5.3

4.0.0-rc2 release notes
4.0.0-rc1 release notes
4.0.0-beta3 release notes
4.0.0-beta2 release notes
4.0.0-beta1 ​release notes

🚀 New Features

• FT.EXPLAINCLI intentionally raising NotImplementedError (#​1705)

🐛 Bug Fixes

• Restoring ZRANGE desc for Redis < 6.2.0 (#​1697)
• Response parsing occasionally fails to parse floats (#​1692)
• Re-enabling read-the-docs (#​1707)

🧰 Maintenance

• Call HSET after FT.CREATE to avoid keyspace scan (#​1706)
• Unit tests fixes for compatibility (#​1703)
• Improve documentation about Locks (#​1701)
• Fixes to allow --redis-url to pass through all tests (#​1700)
• Fix unit tests running against Redis 4.0.0 (#​1699)
• Search alias test fix (#​1695)
• Adding RediSearch/RedisJSON tests (#​1691)
• Updating codecov rules (#​1689)
• Tests to validate custom JSON decoders (#​1681)
• Added breaking icon to release drafter (#​1702)

Contributors

We'd like to thank all the contributors who worked on this release!

@​AvitalFineRedis, @​ashtul, @​chayim and @​jerr0328

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.