Update dependency io.lettuce:lettuce-core to v6.5.1.RELEASE [SECURITY] (release/4.0.x)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
io.lettuce:lettuce-core	6.4.1.RELEASE -> 6.5.1.RELEASE

GitHub Vulnerability Alerts

GHSA-q4h9-7rxj-7gx2

Summary

Note: i'm reporting this in this way purely because it's private and i don't want to broadcast vulnerabilities.

An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

Details

https://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently

<netty.version>4.1.113.Final</netty.version>

This version is vulnerable according to Snyk and is affecting one of our products:

Here is a link to the CVE

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.
Not applicable

Impact

What kind of vulnerability is it? Who is impacted?
Denial of Service, affecting Windows users.

---

Release Notes

lettuce-io/lettuce-core (io.lettuce:lettuce-core)

v6.5.1.RELEASE

Compare Source

What's Changed

• Bump to netty 4.1.115.Final to consume the security fix for CVE-2024-47535 by @​tishun
• Restore API that was incidently deleted when introducing the JSON feature by @​tishun in https://github.com/redis/lettuce/pull/3065
• Propagate handshake failures to Handshake future @​mp911de in https://github.com/redis/lettuce/pull/3058
• Json commands not exposed in AsyncCluster by @​tishun in https://github.com/redis/lettuce/pull/3048
• OpsForGeo producing "READONLY You can't write against a read only replica " by @​ggivo in https://github.com/redis/lettuce/pull/3032
• WATCH is now working in the same time as MULTI when called inside a MULTI by @​tishun in https://github.com/redis/lettuce/pull/3027

Full Changelog: redis/lettuce@6.5.0.RELEASE...6.5.1.RELEASE

v6.5.0.RELEASE

Compare Source

⭐ New Features

• Introducing JSON to Lettuce (#​2992)
• Add support for the CLUSTER MYSHARDID command (#​2920)
• Add support for the CLUSTER LINKS command (#​2986)
• Add support for the CLIENT TRACKINGINFO command (#​2862)
• Default ClientOptions.timeoutOptions to TimeoutOptions.enabled() (#​2927)
• Propagate database number, user, and RedisURI into Tracing (#​3005)
• Add support for creating regex and subnet-based ReadFrom instances from a single string (#​3016)
• Add hasNoSlots() method to RedisClusterNode (#​3015)

🐞 Bug Fixes

• Initialize slots with empty BitSet in RedisClusterNode's constructors (#​2341)
• fix(2971): spublish typo fix (#​2972)
• Update completeExceptionally on ClusterCommand using super (#​2980)
• Add defensive copy for Futures allOf() method (#​2943)
• fix:deadlock when reentrant exclusive lock #​2905 #​2879 (#​2961)
• ClassNotFoundException: com.fasterxml.jackson.core.JsonProcessingException (#​2993)
• ScanIterator.scan.stream().toList() causes "java.lang.IllegalStateException: Accept exceeded fixed size of 0" on Java 16+ (#​3002)
• fix: Lcs response parse (#​2970)
• Resubscribe logic ignoring Pub/Sub shard channels after reconnect. (#​3024)
• Command interface - issues with async array results (#​3033)

💡 Other

• Add badges to the README.md file (#​2939)
• Convert wiki to markdown docs (#​2944)
• Add the Github repo url to the doc config (#​3008)
• document update regarding addressResolverGroup settings (#​3007)
• Add CodeCov configuration, enable test analytics (#​3023)
• io.lettuce.core.RedisCommandExecutionException: NOAUTH Authentication required on CLIENT and READONLY command (#​3035)
• Bump org.jacoco:jacoco-maven-plugin from 0.8.9 to 0.8.12 (#​2921)
• Bump org.apache.maven.plugins:maven-surefire-plugin from 3.2.5 to 3.3.1 (#​2922)
• Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.2.5 to 3.3.1 (#​2958)
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.7.0 to 3.8.0 (#​2957)
• Bump org.apache.maven.plugins:maven-surefire-plugin from 3.3.1 to 3.4.0 (#​2968)
• Bump org.hdrhistogram:HdrHistogram from 2.1.12 to 2.2.2 (#​2966)
• Bump org.apache.maven.plugins:maven-compiler-plugin from 3.12.1 to 3.13.0 (#​2978)
• Bump org.apache.logging.log4j:log4j-bom from 2.17.2 to 2.24.0 (#​2988)
• Bump io.netty:netty-bom from 4.1.107.Final to 4.1.113.Final (#​2990)
• Suspected change in ubuntu causing CI failures (#​2949)
• MKdocs styling update (#​3034)

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​zeze1004 made their first contribution in https://github.com/redis/lettuce/pull/2852
• @​jkrauze made their first contribution in https://github.com/redis/lettuce/pull/2972
• @​Roiocam made their first contribution in https://github.com/redis/lettuce/pull/2961
• @​jinkshower made their first contribution in https://github.com/redis/lettuce/pull/2943
• @​joshrotenberg made their first contribution in https://github.com/redis/lettuce/pull/3008
• @​nosan made their first contribution in https://github.com/redis/lettuce/pull/3016
• @​wmxl made their first contribution in https://github.com/redis/lettuce/pull/3015
• @​winguse made their first contribution in https://github.com/redis/lettuce/pull/3007
• @​jabolina made their first contribution in https://github.com/redis/lettuce/pull/2970

Full Changelog: redis/lettuce@6.4.0.RELEASE...6.5.0.RELEASE

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - "* 0-3 * * 1" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.