fix(deps): update dependency redis to v4.5.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
redis (changelog)	4.5.1 -> 4.5.4

GitHub Vulnerability Alerts

CVE-2023-28858

redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but are believed to be incomplete. CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.

CVE-2023-28859

redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.

---

Release Notes

redis/redis-py (redis)

v4.5.4: 4.5.4

Compare Source

Changes

Upgrade urgency: SECURITY, contains fixes to security issues.

• (CVE-2023-28859) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.
• (CVE-2023-28858) - Cancelling an async future does not, properly trigger, leading to a potential data leak in specific cases.

🐛 Bug Fixes

• Fixing cancelled async futures (#​2666)
• Fix: do not use asyncio's timeout lib before 3.11.2 (#​2659)
• Fix UDS in v4.5.2: UnixDomainSocketConnection missing constructor argument (#​2630)

🧰 Maintenance

• Minor fixes for #​2666 and enhanced async test (#​2673)
• Fix issue 2660: PytestUnraisableExceptionWarning from asycio client (#​2669)
• Removing accidentally checked in files (#​2642)

Contributors

We'd like to thank all the contributors who worked on this release!

@​bellini666, @​chayim, @​dvora-h, @​shacharPash and @​woutdenolf

v4.5.3: 4.5.3

Compare Source

Changes

Update urgency: HIGH: There is a critical bug that may affect a subset of users. Upgrade!

🐛 Bug Fixes

• CWE-404 AsyncIO Race Condition Fix (#​2624, #​2579)

v4.5.2: 4.5.2

Compare Source

Changes

🚀 New Features

• Introduce AbstractConnection so that UnixDomainSocketConnection can call super().init (#​2588)
• Added queue_class to REDIS_ALLOWED_KEYS (#​2577)
• Made search document subscriptable (#​2615)
• Sped up the protocol parsing (#​2596)

🐛 Bug Fixes

• Fix behaviour of async PythonParser to match RedisParser as for issue #​2349 (#​2582)
• Replace async_timeout by asyncio.timeout (#​2602)
• Update json().arrindex() default values (#​2611)

🧰 Maintenance

• Coverage for pypy-3.9 (#​2608)
• Developer Experience: Adding redis version compatibility details to the README (#​2621)
• Remove redundant assignment to RedisCluster.nodes_manager. (#​2620)
• Developer Experience: [types] update return type of smismember to list[int] (#​2617)
• Developer Experience: [docs] ConnectionPool SSL example (#​2605)
• Developer Experience: Fixed CredentialsProvider examples (#​2587)
• Developer Experience: Update README to make pip install copy-pastable on zsh (#​2584)
• Developer Experience: Fix for lpop and rpop return typing (#​2590)

Contributors

We'd like to thank all the contributors who worked on this release!

@​CrimsonGlory, @​Galtozzy, @​aksinha334, @​barshaul, @​chayim, @​davemcphee, @​dvora-h, @​kristjanvalur, @​ryin1, @​sileht, @​thebarbershop, @​uglide, @​woutdenolf and @​zakaf

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.