FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py39-redis -- can send response data to the client of an unrelated request

Affected packages
4.4.0 <= py39-redis < 4.4.4
4.5.0 <= py39-redis < 4.5.4

Details

VuXML ID 8aa6340d-e7c6-41e0-b2a3-3c9e9930312a
Discovery 2023-03-26
Entry 2023-04-09

drago-balto reports:

redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request.

NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.

[source]

References

CVE Name CVE-2023-28859
URL https://osv.dev/vulnerability/GHSA-8fww-64cx-x8p5

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.