Skip to content

Commit 4d50670

Browse files
CBL-Mariner-BotKanishk-Bansal
CBL-Mariner-Bot
and
Kanishk-Bansal
authored
[AUTO-CHERRYPICK] Patch keda for CVE-2025-30204, CVE-2025-29923 [High] - branch 3.0-dev (#13235)
Co-authored-by: Kanishk Bansal <[email protected]>
1 parent f7c2947 commit 4d50670

File tree

3 files changed

+408
-1
lines changed

3 files changed

+408
-1
lines changed

SPECS/keda/CVE-2025-29923.patch

Lines changed: 268 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,268 @@
1+
From ccc8a29fedd586a983efa3852c35175f042e5f7a Mon Sep 17 00:00:00 2001
2+
From: Kanishk-Bansal <[email protected]>
3+
Date: Sun, 30 Mar 2025 16:50:18 +0000
4+
Subject: [PATCH] CVE-2025-29923
5+
6+
Upstream Patch Reference : https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6
7+
---
8+
.../github.com/redis/go-redis/v9/options.go | 11 +++++++-
9+
.../redis/go-redis/v9/osscluster.go | 18 ++++++++++--
10+
vendor/github.com/redis/go-redis/v9/redis.go | 8 ++++--
11+
vendor/github.com/redis/go-redis/v9/ring.go | 19 +++++++++++--
12+
.../github.com/redis/go-redis/v9/sentinel.go | 28 ++++++++++++++++---
13+
.../github.com/redis/go-redis/v9/universal.go | 24 +++++++++++++---
14+
6 files changed, 92 insertions(+), 16 deletions(-)
15+
16+
diff --git a/vendor/github.com/redis/go-redis/v9/options.go b/vendor/github.com/redis/go-redis/v9/options.go
17+
index dff52ae8..3e889aed 100644
18+
--- a/vendor/github.com/redis/go-redis/v9/options.go
19+
+++ b/vendor/github.com/redis/go-redis/v9/options.go
20+
@@ -142,9 +142,18 @@ type Options struct {
21+
// Enables read only queries on slave/follower nodes.
22+
readOnly bool
23+
24+
- // Disable set-lib on connect. Default is false.
25+
+ // DisableIndentity - Disable set-lib on connect.
26+
+ //
27+
+ // default: false
28+
+ //
29+
+ // Deprecated: Use DisableIdentity instead.
30+
DisableIndentity bool
31+
32+
+ // DisableIdentity is used to disable CLIENT SETINFO command on connect.
33+
+ //
34+
+ // default: false
35+
+ DisableIdentity bool
36+
+
37+
// Add suffix to client name. Default is empty.
38+
IdentitySuffix string
39+
}
40+
diff --git a/vendor/github.com/redis/go-redis/v9/osscluster.go b/vendor/github.com/redis/go-redis/v9/osscluster.go
41+
index 17f98d9d..c67244c8 100644
42+
--- a/vendor/github.com/redis/go-redis/v9/osscluster.go
43+
+++ b/vendor/github.com/redis/go-redis/v9/osscluster.go
44+
@@ -85,8 +85,19 @@ type ClusterOptions struct {
45+
ConnMaxIdleTime time.Duration
46+
ConnMaxLifetime time.Duration
47+
48+
- TLSConfig *tls.Config
49+
- DisableIndentity bool // Disable set-lib on connect. Default is false.
50+
+ TLSConfig *tls.Config
51+
+
52+
+ // DisableIndentity - Disable set-lib on connect.
53+
+ //
54+
+ // default: false
55+
+ //
56+
+ // Deprecated: Use DisableIdentity instead.
57+
+ DisableIndentity bool
58+
+
59+
+ // DisableIdentity is used to disable CLIENT SETINFO command on connect.
60+
+ //
61+
+ // default: false
62+
+ DisableIdentity bool
63+
64+
IdentitySuffix string // Add suffix to client name. Default is empty.
65+
}
66+
@@ -294,7 +305,8 @@ func (opt *ClusterOptions) clientOptions() *Options {
67+
MaxActiveConns: opt.MaxActiveConns,
68+
ConnMaxIdleTime: opt.ConnMaxIdleTime,
69+
ConnMaxLifetime: opt.ConnMaxLifetime,
70+
- DisableIndentity: opt.DisableIndentity,
71+
+ DisableIdentity: opt.DisableIdentity,
72+
+ DisableIndentity: opt.DisableIdentity,
73+
IdentitySuffix: opt.IdentitySuffix,
74+
TLSConfig: opt.TLSConfig,
75+
// If ClusterSlots is populated, then we probably have an artificial
76+
diff --git a/vendor/github.com/redis/go-redis/v9/redis.go b/vendor/github.com/redis/go-redis/v9/redis.go
77+
index d25a0d31..46b955bb 100644
78+
--- a/vendor/github.com/redis/go-redis/v9/redis.go
79+
+++ b/vendor/github.com/redis/go-redis/v9/redis.go
80+
@@ -340,7 +340,7 @@ func (c *baseClient) initConn(ctx context.Context, cn *pool.Conn) error {
81+
return err
82+
}
83+
84+
- if !c.opt.DisableIndentity {
85+
+ if !c.opt.DisableIdentity && !c.opt.DisableIndentity {
86+
libName := ""
87+
libVer := Version()
88+
if c.opt.IdentitySuffix != "" {
89+
@@ -349,7 +349,11 @@ func (c *baseClient) initConn(ctx context.Context, cn *pool.Conn) error {
90+
p := conn.Pipeline()
91+
p.ClientSetInfo(ctx, WithLibraryName(libName))
92+
p.ClientSetInfo(ctx, WithLibraryVersion(libVer))
93+
- _, _ = p.Exec(ctx)
94+
+ // Handle network errors (e.g. timeouts) in CLIENT SETINFO to avoid
95+
+ // out of order responses later on.
96+
+ if _, err = p.Exec(ctx); err != nil && !isRedisError(err) {
97+
+ return err
98+
+ }
99+
}
100+
101+
if c.opt.OnConnect != nil {
102+
diff --git a/vendor/github.com/redis/go-redis/v9/ring.go b/vendor/github.com/redis/go-redis/v9/ring.go
103+
index 4ae00542..a8a00cd0 100644
104+
--- a/vendor/github.com/redis/go-redis/v9/ring.go
105+
+++ b/vendor/github.com/redis/go-redis/v9/ring.go
106+
@@ -98,8 +98,20 @@ type RingOptions struct {
107+
TLSConfig *tls.Config
108+
Limiter Limiter
109+
110+
+ // DisableIndentity - Disable set-lib on connect.
111+
+ //
112+
+ // default: false
113+
+ //
114+
+ // Deprecated: Use DisableIdentity instead.
115+
+
116+
DisableIndentity bool
117+
- IdentitySuffix string
118+
+
119+
+ // DisableIdentity is used to disable CLIENT SETINFO command on connect.
120+
+ //
121+
+ // default: false
122+
+ DisableIdentity bool
123+
+ IdentitySuffix string
124+
+ UnstableResp3 bool
125+
}
126+
127+
func (opt *RingOptions) init() {
128+
@@ -166,8 +178,11 @@ func (opt *RingOptions) clientOptions() *Options {
129+
TLSConfig: opt.TLSConfig,
130+
Limiter: opt.Limiter,
131+
132+
+ DisableIdentity: opt.DisableIdentity,
133+
+
134+
DisableIndentity: opt.DisableIndentity,
135+
- IdentitySuffix: opt.IdentitySuffix,
136+
+ IdentitySuffix: opt.IdentitySuffix,
137+
+ UnstableResp3: opt.UnstableResp3,
138+
}
139+
}
140+
141+
diff --git a/vendor/github.com/redis/go-redis/v9/sentinel.go b/vendor/github.com/redis/go-redis/v9/sentinel.go
142+
index 188f8849..2988e300 100644
143+
--- a/vendor/github.com/redis/go-redis/v9/sentinel.go
144+
+++ b/vendor/github.com/redis/go-redis/v9/sentinel.go
145+
@@ -80,8 +80,20 @@ type FailoverOptions struct {
146+
147+
TLSConfig *tls.Config
148+
149+
+ // DisableIndentity - Disable set-lib on connect.
150+
+ //
151+
+ // default: false
152+
+ //
153+
+ // Deprecated: Use DisableIdentity instead.
154+
DisableIndentity bool
155+
- IdentitySuffix string
156+
+
157+
+ // DisableIdentity is used to disable CLIENT SETINFO command on connect.
158+
+ //
159+
+ // default: false
160+
+ DisableIdentity bool
161+
+
162+
+ IdentitySuffix string
163+
+ UnstableResp3 bool
164+
}
165+
166+
func (opt *FailoverOptions) clientOptions() *Options {
167+
@@ -117,8 +129,12 @@ func (opt *FailoverOptions) clientOptions() *Options {
168+
169+
TLSConfig: opt.TLSConfig,
170+
171+
+ DisableIdentity: opt.DisableIdentity,
172+
+
173+
DisableIndentity: opt.DisableIndentity,
174+
- IdentitySuffix: opt.IdentitySuffix,
175+
+
176+
+ IdentitySuffix: opt.IdentitySuffix,
177+
+ UnstableResp3: opt.UnstableResp3,
178+
}
179+
}
180+
181+
@@ -153,9 +169,11 @@ func (opt *FailoverOptions) sentinelOptions(addr string) *Options {
182+
ConnMaxLifetime: opt.ConnMaxLifetime,
183+
184+
TLSConfig: opt.TLSConfig,
185+
+ DisableIdentity: opt.DisableIdentity,
186+
187+
DisableIndentity: opt.DisableIndentity,
188+
- IdentitySuffix: opt.IdentitySuffix,
189+
+ IdentitySuffix: opt.IdentitySuffix,
190+
+ UnstableResp3: opt.UnstableResp3,
191+
}
192+
}
193+
194+
@@ -194,8 +212,10 @@ func (opt *FailoverOptions) clusterOptions() *ClusterOptions {
195+
196+
TLSConfig: opt.TLSConfig,
197+
198+
+ DisableIdentity: opt.DisableIdentity,
199+
+
200+
DisableIndentity: opt.DisableIndentity,
201+
- IdentitySuffix: opt.IdentitySuffix,
202+
+ IdentitySuffix: opt.IdentitySuffix,
203+
}
204+
}
205+
206+
diff --git a/vendor/github.com/redis/go-redis/v9/universal.go b/vendor/github.com/redis/go-redis/v9/universal.go
207+
index 275bef3d..1ec64269 100644
208+
--- a/vendor/github.com/redis/go-redis/v9/universal.go
209+
+++ b/vendor/github.com/redis/go-redis/v9/universal.go
210+
@@ -61,14 +61,25 @@ type UniversalOptions struct {
211+
RouteByLatency bool
212+
RouteRandomly bool
213+
214+
- // The sentinel master name.
215+
- // Only failover clients.
216+
+ // MasterName is the sentinel master name.
217+
+ // Only for failover clients.
218+
219+
MasterName string
220+
221+
+ // DisableIndentity - Disable set-lib on connect.
222+
+ //
223+
+ // default: false
224+
+ //
225+
+ // Deprecated: Use DisableIdentity instead.
226+
DisableIndentity bool
227+
- IdentitySuffix string
228+
-}
229+
+
230+
+ // DisableIdentity is used to disable CLIENT SETINFO command on connect.
231+
+ //
232+
+ // default: false
233+
+ DisableIdentity bool
234+
+
235+
+ IdentitySuffix string
236+
+ UnstableResp3 bool}
237+
238+
// Cluster returns cluster options created from the universal options.
239+
func (o *UniversalOptions) Cluster() *ClusterOptions {
240+
@@ -112,6 +123,7 @@ func (o *UniversalOptions) Cluster() *ClusterOptions {
241+
242+
TLSConfig: o.TLSConfig,
243+
244+
+ DisableIdentity: o.DisableIdentity,
245+
DisableIndentity: o.DisableIndentity,
246+
IdentitySuffix: o.IdentitySuffix,
247+
}
248+
@@ -158,6 +170,9 @@ func (o *UniversalOptions) Failover() *FailoverOptions {
249+
250+
TLSConfig: o.TLSConfig,
251+
252+
+ ReplicaOnly: o.ReadOnly,
253+
+
254+
+ DisableIdentity: o.DisableIdentity,
255+
DisableIndentity: o.DisableIndentity,
256+
IdentitySuffix: o.IdentitySuffix,
257+
}
258+
@@ -201,6 +216,7 @@ func (o *UniversalOptions) Simple() *Options {
259+
260+
TLSConfig: o.TLSConfig,
261+
262+
+ DisableIdentity: o.DisableIdentity,
263+
DisableIndentity: o.DisableIndentity,
264+
IdentitySuffix: o.IdentitySuffix,
265+
}
266+
--
267+
2.45.2
268+

0 commit comments

Comments
 (0)