Skip to content

Renovate: Update module github.com/redis/go-redis/v9 to v9.6.3 [SECURITY]#9

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-redis-go-redis-v9-vulnerability
Open

Renovate: Update module github.com/redis/go-redis/v9 to v9.6.3 [SECURITY]#9
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-redis-go-redis-v9-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Mar 22, 2025

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/redis/go-redis/v9 v9.5.1v9.6.3 age adoption passing confidence

go-redis allows potential out of order responses when CLIENT SETINFO times out during connection establishment

CVE-2025-29923 / GHSA-92cp-5422-2mw7

More information

Details

Impact

The issue only occurs when the CLIENT SETINFO command times out during connection establishment. The following circumstances can cause such a timeout:

  1. The client is configured to transmit its identity. This can be disabled via the DisableIndentity flag.
  2. There are network connectivity issues
  3. The client was configured with aggressive timeouts

The impact differs by use case:

  • Sticky connections: Rather than using a connection from the pool on-demand, the caller can stick with a connection. Then you receive persistent out-of-order responses for the lifetime of the connection.
  • Pipelines: All commands in the pipeline receive incorrect responses.
  • Default connection pool usage without pipelining: When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded.
Patches

We prepared a fix in https://github.com/redis/go-redis/pull/3295 and plan to release patch versions soon.

Workarounds

You can prevent the vulnerability by setting the flag DisableIndentity (BTW: We also need to fix the spelling.) to true when constructing the client instance.

Credit

Akhass Wasti
Ramin Ghorashi
Anton Amlinger
Syed Rahman
Mahesh Venkateswaran
Sergey Zavoloka
Aditya Adarwal
Abdulla Anam
Abd-Alhameed
Alex Vanlint
Gaurav Choudhary
Vedanta Jha
Yll Kelani
Ryan Picard

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


go-redis allows potential out of order responses when CLIENT SETINFO times out during connection establishment

CVE-2025-29923 / GHSA-92cp-5422-2mw7 / GO-2025-3540

More information

Details

Impact

The issue only occurs when the CLIENT SETINFO command times out during connection establishment. The following circumstances can cause such a timeout:

  1. The client is configured to transmit its identity. This can be disabled via the DisableIndentity flag.
  2. There are network connectivity issues
  3. The client was configured with aggressive timeouts

The impact differs by use case:

  • Sticky connections: Rather than using a connection from the pool on-demand, the caller can stick with a connection. Then you receive persistent out-of-order responses for the lifetime of the connection.
  • Pipelines: All commands in the pipeline receive incorrect responses.
  • Default connection pool usage without pipelining: When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded.
Patches

We prepared a fix in https://github.com/redis/go-redis/pull/3295 and plan to release patch versions soon.

Workarounds

You can prevent the vulnerability by setting the flag DisableIndentity (BTW: We also need to fix the spelling.) to true when constructing the client instance.

Credit

Akhass Wasti
Ramin Ghorashi
Anton Amlinger
Syed Rahman
Mahesh Venkateswaran
Sergey Zavoloka
Aditya Adarwal
Abdulla Anam
Abd-Alhameed
Alex Vanlint
Gaurav Choudhary
Vedanta Jha
Yll Kelani
Ryan Picard

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis

CVE-2025-29923 / GHSA-92cp-5422-2mw7 / GO-2025-3540

More information

Details

Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Release Notes

redis/go-redis (github.com/redis/go-redis/v9)

v9.6.3

Compare Source

What's Changed

Full Changelog: redis/go-redis@v9.6.2...v9.6.3

v9.6.2: 9.6.2

Compare Source

Changes

🐛 Bug Fixes

  • Fixed bug with broken TLS sessions (#​3145)

Contributors

We'd like to thank all the contributors who worked on this release!

@​ofekshenawa @​vladvildanov @​rentziass

v9.6.1: 9.6.1

Compare Source

Changes

9.6

This release contains all new features from version 9.6.

🚀 New Features
  • Support Hash-field expiration commands (#​2991)
  • Support Hash-field expiration commands in Pipeline & Fix HExpire HExpireWithArgs expiration (#​3038)
  • Support NOVALUES parameter for HSCAN (#​2925)
  • Added test case for CLIENT KILL with MAXAGE option (#​2971)
  • Add support for XREAD last entry (#​3005)
  • Reduce the type assertion of CheckConn (#​3066)

9.6.1

In addition minor changes were performed to retract version 9.5.3 and 9.5.4 that were released accidentally.

🧰 Maintenance
🎁 Package Distribution
  • Retract versions 9.5.3 and 9.5.4 (#​3069)

Contributors

We'd like to thank all the contributors who worked on this release!

@​LINKIWI, @​b1ron, @​gerzse, @​haines, @​immersedin, @​naiqianz, @​ofekshenawa, @​srikar-jilugu, @​tzongw, @​vladvildanov, @​vmihailenco and @​monkey92t

v9.6.0: 9.6.0

Compare Source

Changes

🚀 New Features

  • Support Hash-field expiration commands (#​2991)
  • Support Hash-field expiration commands in Pipeline & Fix HExpire HExpireWithArgs expiration (#​3038)
  • Support NOVALUES parameter for HSCAN (#​2925)
  • Added test case for CLIENT KILL with MAXAGE option (#​2971)
  • Add support for XREAD last entry (#​3005)
  • Reduce the type assertion of CheckConn (#​3066)

🛠️ Improvements

This release includes support for Redis Community Edition (CE) 7.4.0, ensuring compatibility with the latest features and improvements introduced in Redis CE 7.4.0.

🧰 Maintenance

  • chore(deps): bump golangci/golangci-lint-action from 4 to 6 (#​2993)
  • Avoid unnecessary retry delay in cluster client following MOVED and ASK redirection (#​3048)
  • add test for tls connCheck #​3025 (#​3047)
  • fix node routing in slotClosestNode (#​3043)
  • Update pubsub.go (#​3042)
  • Change monitor test to run manually (#​3041)
  • chore(deps): bump rojopolis/spellcheck-github-actions from 0.36.0 to 0.38.0 (#​3028)
  • Add (*StatusCmd).Bytes() method (#​3030)
  • chore(deps): bump golang.org/x/net from 0.20.0 to 0.23.0 in /example/otel (#​3000)

Contributors

We'd like to thank all the contributors who worked on this release!

@​LINKIWI, @​b1ron, @​dependabot, @​dependabot[bot], @​gerzse, @​haines, @​immersedin, @​naiqianz, @​ofekshenawa, @​srikar-jilugu, @​tzongw, @​vladvildanov and @​vmihailenco @​monkey92t

v9.5.5

Compare Source

What's Changed

Full Changelog: redis/go-redis@v9.5.4...v9.5.5

v9.5.4

Compare Source

v9.5.3

Compare Source

v9.5.2: 9.5.2

Compare Source

Changes

  • fix: fix #​2681 (#​2998)
  • Remove skipping span creation by checking parent spans (#​2980)
  • Handle IPv6 in isMovedError (#​2981)
  • Fix XGroup first pos key (#​2983)
  • Adding BitfieldRo in BitMapCmdable interface (#​2962)
  • Optimize docs useless imports and typo (#​2970)
  • chore: fix some comments (#​2967)
  • Fix for issues #​2959 and #​2960 (#​2961)
  • fix: #​2956 (#​2957)
  • fix misuses of a vs an (#​2936)
  • add server address and port span attributes to redis otel trace instrumentation (#​2826)
  • chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /example/otel (#​2944)
  • Remove secrets from Redis Enterprise CI (#​2938)
  • Fix monitor on go 1.19 (#​2908)
  • chore(deps): bump google.golang.org/protobuf from 1.28.1 to 1.33.0 in /extra/redisprometheus (#​2942)
  • Change RE image to public RE image (#​2935)

Contributors

We'd like to thank all the contributors who worked on this release!

@​XSAM, @​akash14darshan, @​daviddzxy, @​dependabot, @​dependabot[bot], @​esara, @​hakusai22, @​hishope, @​kindknow, @​monkey92t, @​ofekshenawa, @​singular-seal and deferdeter


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/go-github.com-redis-go-redis-v9-vulnerability branch from 7432fe0 to b52b59c Compare March 28, 2025 04:00
@renovate renovate Bot changed the title Renovate: Update module github.com/redis/go-redis/v9 to v9.5.5 [SECURITY] Renovate: Update module github.com/redis/go-redis/v9 to v9.6.3 [SECURITY] Mar 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant