What's Changed
๐ Security
This release fixes several more security vulnerabilities which are related to the fixes in v0.6.4. Please see the linked security advisories for more information.
- (moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8)
This vulnerability depends how the server interprets non-synchronizing literals.
The connection is not vulnerable if the server supports non-synchronizing literals. - (moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
- (low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66)
This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
Added
Fixed
- ๐ง Disallow
config.max_non_synchronizing_literal = nilby @nevans in #672 - ๐งต Fix deadlock in
#disconnectby @nevans in #686 - ๐ฅ Validate that Atom and Flag are not empty by @nevans in #684
Documentation
Other Changes
- ๐ท๏ธ Allow 64-bit Integer arguments by @nevans in #675
- ๐ฅ Ensure send_number_data input is an Integer by @nevans in #676
- โป๏ธ Improve
RawData.new, AddRawData.splitby @nevans in #679 - ๐ท๏ธ Less strict number string coercion, to match RFCs by @nevans in #680
- ๐ฅ Validate response literal byte size format by @nevans in #681
Miscellaneous
- โฌ๏ธ Bump step-security/harden-runner from 2.19.0 to 2.19.1 by @dependabot[bot] in #673
- โ Improvements to tests' FakeServer by @nevans in #678
- โฌ๏ธ Bump step-security/harden-runner from 2.19.1 to 2.19.3 by @dependabot[bot] in #682
- โฌ๏ธ Bump step-security/harden-runner from 2.19.3 to 2.19.4 by @dependabot[bot] in #683
Full Changelog: v0.6.4...v0.6.4.1