drago-balto reports:
redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request.
NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | py39-redis | =Â 4.4.0 | UNKNOWN |
FreeBSD | any | noarch | py39-redis | <Â 4.4.4 | UNKNOWN |