What's Changed
๐ Security
This release fixes several more security vulnerabilities which are related to the fixes in v0.5.14. Please see the linked security advisories for more information.
- (moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8)
This vulnerability depends how the server interprets non-synchronizing literals.
The connection is not vulnerable if the server supports non-synchronizing literals. - (moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
- (low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66)
This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
Fixed
- ๐ฅ Validate that Atom and Flag are not empty by @nevans in #685 (backports #684)
- ๐งต Fix deadlock in
#disconnectby @nevans in #697 (backports #686)
Documentation
- โ ๏ธ Boost visibility of raw data argument documentation warnings by @nevans in #696 (backports #677)
Other Changes
- ๐ท๏ธ Allow 64-bit Integer arguments in #696 (backports #675)
- ๐ฅ Ensure send_number_data input is an Integer in #696 (backports #676)
- โป๏ธ Improve
RawData.new, AddRawData.splitby @nevans in #696 (backports #679) - ๐ฅ Validate response literal byte size format by @nevans in #696 (backports #681)
Miscellaneous
Full Changelog: v0.5.14...v0.5.15