Source: python-redis Version: 4.3.4-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-redis. CVE-2023-28858[0]: | redis-py before 4.5.3 leaves a connection open after canceling an | async Redis command at an inopportune time, and can send response data | to the client of an unrelated request in an off-by-one manner. NOTE: | this CVE Record was initially created in response to reports about | ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the | behavior for pipeline operations); however, please see CVE-2023-28859 | about addressing data leakage across AsyncIO connections in general. Ss mentioned in the description, please make sure to apply the complete set of fixes to not open CVE-2023-28859. Currently we can consider python-redis as not-affected by the CVE-2023-28859, as this results by an incomplete fix for CVE-2023-28858. So when fixing CVE-2023-28858 apply as well the followup needed fixes. Details in the security-tracker reference. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28858 https://www.cve.org/CVERecord?id=CVE-2023-28858 Regards, Salvatore
