CVE-2023-28859

NameCVE-2023-28859
Descriptionredis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-redis (PTS)jessie2.10.1-1fixed
stretch2.10.5-2fixed
buster3.2.1-2fixed
bullseye3.5.3-2fixed
sid, trixie, bookworm4.3.4-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-redissource(unstable)(not affected)

Notes

- python-redis <not-affected> (Incomplete fix for CVE-2023-28858 not applied)
https://github.com/redis/redis-py/issues/2665
https://github.com/redis/redis-py/pull/2641

Search for package or bug name: Reporting problems