microsoft · jykanase · Sep 30, 2025 · Nov 27, 2025
@@ -0,0 +1,285 @@
+From d236865b0cfa1b752ea4b7da666b1fdcd0acebb6 Mon Sep 17 00:00:00 2001
+From: Nedyalko Dyakov <nedyalko.dyakov@gmail.com>
+Date: Wed, 19 Mar 2025 19:02:36 +0200
+Subject: [PATCH] fix: handle network error on SETINFO (#3295) (CVE-2025-29923)
+
+* fix: handle network error on SETINFO
+
+This fix addresses potential out of order responses as described in `CVE-2025-29923`
+
+* fix: deprecate DisableIndentity and introduce DisableIdentity
+
+Both options will work before V10. In v10 DisableIndentity will be dropped. The preferred flag to use is `DisableIdentity`.
+
+Upstream Patch Link: https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6.patch
+---
+ vendor/github.com/redis/go-redis/v9/README.md |  8 ++++---
+ .../github.com/redis/go-redis/v9/options.go   | 11 +++++++++-
+ .../redis/go-redis/v9/osscluster.go           | 18 +++++++++++++---
+ vendor/github.com/redis/go-redis/v9/redis.go  |  8 +++++--
+ vendor/github.com/redis/go-redis/v9/ring.go   | 14 ++++++++++++-
+ .../github.com/redis/go-redis/v9/sentinel.go  | 21 +++++++++++++++++--
+ .../github.com/redis/go-redis/v9/universal.go | 21 +++++++++++++++----
+ 7 files changed, 85 insertions(+), 16 deletions(-)
+
+diff --git a/vendor/github.com/redis/go-redis/v9/README.md b/vendor/github.com/redis/go-redis/v9/README.md
+index 043d3f0e..9adc7f12 100644
+--- a/vendor/github.com/redis/go-redis/v9/README.md
++++ b/vendor/github.com/redis/go-redis/v9/README.md
+@@ -172,16 +172,18 @@ By default, go-redis automatically sends the client library name and version dur
+
+ #### Disabling Identity Verification
+
+-When connection identity verification is not required or needs to be explicitly disabled, a `DisableIndentity` configuration option exists. In V10 of this library, `DisableIndentity` will become `DisableIdentity` in order to fix the associated typo.
++When connection identity verification is not required or needs to be explicitly disabled, a `DisableIdentity` configuration option exists.
++Initially there was a typo and the option was named `DisableIndentity` instead of `DisableIdentity`. The misspelled option is marked as Deprecated and will be removed in V10 of this library.
++Although both options will work at the moment, the correct option is `DisableIdentity`. The deprecated option will be removed in V10 of this library, so please use the correct option name to avoid any issues.
+
+-To disable verification, set the `DisableIndentity` option to `true` in the Redis client options:
++To disable verification, set the `DisableIdentity` option to `true` in the Redis client options:
+
+ ```go
+ rdb := redis.NewClient(&redis.Options{
+     Addr:            "localhost:6379",
+     Password:        "",
+     DB:              0,
+-    DisableIndentity: true, // Disable set-info on connect
++    DisableIdentity: true, // Disable set-info on connect
+ })
+ ```
+
+diff --git a/vendor/github.com/redis/go-redis/v9/options.go b/vendor/github.com/redis/go-redis/v9/options.go
+index dff52ae8..da9a5f99 100644
+--- a/vendor/github.com/redis/go-redis/v9/options.go
++++ b/vendor/github.com/redis/go-redis/v9/options.go
+@@ -142,9 +142,18 @@ type Options struct {
+ 	// Enables read only queries on slave/follower nodes.
+ 	readOnly bool
+
+-	// Disable set-lib on connect. Default is false.
++	// DisableIndentity - Disable set-lib on connect.
++	//
++	// default: false
++	//
++	// Deprecated: Use DisableIdentity instead.
+ 	DisableIndentity bool
+
++	// DisableIdentity is used to disable CLIENT SETINFO command on connect.
++	//
++	// default: false
++	DisableIdentity bool
++
+ 	// Add suffix to client name. Default is empty.
+ 	IdentitySuffix string
+ }
+diff --git a/vendor/github.com/redis/go-redis/v9/osscluster.go b/vendor/github.com/redis/go-redis/v9/osscluster.go
+index 17f98d9d..3d490ec1 100644
+--- a/vendor/github.com/redis/go-redis/v9/osscluster.go
++++ b/vendor/github.com/redis/go-redis/v9/osscluster.go
+@@ -85,8 +85,19 @@ type ClusterOptions struct {
+ 	ConnMaxIdleTime time.Duration
+ 	ConnMaxLifetime time.Duration
+
+-	TLSConfig        *tls.Config
+-	DisableIndentity bool // Disable set-lib on connect. Default is false.
++	TLSConfig *tls.Config
++
++	// DisableIndentity - Disable set-lib on connect.
++	//
++	// default: false
++	//
++	// Deprecated: Use DisableIdentity instead.
++	DisableIndentity bool
++
++	// DisableIdentity is used to disable CLIENT SETINFO command on connect.
++	//
++	// default: false
++	DisableIdentity bool
+
+ 	IdentitySuffix string // Add suffix to client name. Default is empty.
+ }
+@@ -294,7 +305,8 @@ func (opt *ClusterOptions) clientOptions() *Options {
+ 		MaxActiveConns:   opt.MaxActiveConns,
+ 		ConnMaxIdleTime:  opt.ConnMaxIdleTime,
+ 		ConnMaxLifetime:  opt.ConnMaxLifetime,
+-		DisableIndentity: opt.DisableIndentity,
++		DisableIdentity:  opt.DisableIdentity,
++		DisableIndentity: opt.DisableIdentity,
+ 		IdentitySuffix:   opt.IdentitySuffix,
+ 		TLSConfig:        opt.TLSConfig,
+ 		// If ClusterSlots is populated, then we probably have an artificial
+diff --git a/vendor/github.com/redis/go-redis/v9/redis.go b/vendor/github.com/redis/go-redis/v9/redis.go
+index d25a0d31..6d38ceb6 100644
+--- a/vendor/github.com/redis/go-redis/v9/redis.go
++++ b/vendor/github.com/redis/go-redis/v9/redis.go
+@@ -340,7 +340,7 @@ func (c *baseClient) initConn(ctx context.Context, cn *pool.Conn) error {
+ 		return err
+ 	}
+
+-	if !c.opt.DisableIndentity {
++	if !c.opt.DisableIdentity && !c.opt.DisableIndentity {
+ 		libName := ""
+ 		libVer := Version()
+ 		if c.opt.IdentitySuffix != "" {
+@@ -349,7 +349,11 @@ func (c *baseClient) initConn(ctx context.Context, cn *pool.Conn) error {
+ 		p := conn.Pipeline()
+ 		p.ClientSetInfo(ctx, WithLibraryName(libName))
+ 		p.ClientSetInfo(ctx, WithLibraryVersion(libVer))
+-		_, _ = p.Exec(ctx)
++		// Handle network errors (e.g. timeouts) in CLIENT SETINFO to avoid
++		// out of order responses later on.
++		if _, err = p.Exec(ctx); err != nil && !isRedisError(err) {
++			return err
++		}
+ 	}
+
+ 	if c.opt.OnConnect != nil {
+diff --git a/vendor/github.com/redis/go-redis/v9/ring.go b/vendor/github.com/redis/go-redis/v9/ring.go
+index 4ae00542..e9bd6595 100644
+--- a/vendor/github.com/redis/go-redis/v9/ring.go
++++ b/vendor/github.com/redis/go-redis/v9/ring.go
+@@ -98,8 +98,18 @@ type RingOptions struct {
+ 	TLSConfig *tls.Config
+ 	Limiter   Limiter
+
++	// DisableIndentity - Disable set-lib on connect.
++	//
++	// default: false
++	//
++	// Deprecated: Use DisableIdentity instead.
+ 	DisableIndentity bool
+-	IdentitySuffix   string
++
++	// DisableIdentity is used to disable CLIENT SETINFO command on connect.
++	//
++	// default: false
++	DisableIdentity bool
++	IdentitySuffix  string
+ }
+
+ func (opt *RingOptions) init() {
+@@ -166,7 +176,9 @@ func (opt *RingOptions) clientOptions() *Options {
+ 		TLSConfig: opt.TLSConfig,
+ 		Limiter:   opt.Limiter,
+
++		DisableIdentity:  opt.DisableIdentity,
+ 		DisableIndentity: opt.DisableIndentity,
++
+ 		IdentitySuffix:   opt.IdentitySuffix,
+ 	}
+ }
+diff --git a/vendor/github.com/redis/go-redis/v9/sentinel.go b/vendor/github.com/redis/go-redis/v9/sentinel.go
+index 188f8849..72dc265a 100644
+--- a/vendor/github.com/redis/go-redis/v9/sentinel.go
++++ b/vendor/github.com/redis/go-redis/v9/sentinel.go
+@@ -80,8 +80,19 @@ type FailoverOptions struct {
+
+ 	TLSConfig *tls.Config
+
++	// DisableIndentity - Disable set-lib on connect.
++	//
++	// default: false
++	//
++	// Deprecated: Use DisableIdentity instead.
+ 	DisableIndentity bool
+-	IdentitySuffix   string
++
++	// DisableIdentity is used to disable CLIENT SETINFO command on connect.
++	//
++	// default: false
++	DisableIdentity bool
++
++	IdentitySuffix string
+ }
+
+ func (opt *FailoverOptions) clientOptions() *Options {
+@@ -117,7 +128,9 @@ func (opt *FailoverOptions) clientOptions() *Options {
+
+ 		TLSConfig: opt.TLSConfig,
+
++		DisableIdentity:  opt.DisableIdentity,
+ 		DisableIndentity: opt.DisableIndentity,
++
+ 		IdentitySuffix:   opt.IdentitySuffix,
+ 	}
+ }
+@@ -154,7 +167,9 @@ func (opt *FailoverOptions) sentinelOptions(addr string) *Options {
+
+ 		TLSConfig: opt.TLSConfig,
+
++		DisableIdentity:  opt.DisableIdentity,
+ 		DisableIndentity: opt.DisableIndentity,
++
+ 		IdentitySuffix:   opt.IdentitySuffix,
+ 	}
+ }
+@@ -194,8 +209,10 @@ func (opt *FailoverOptions) clusterOptions() *ClusterOptions {
+
+ 		TLSConfig: opt.TLSConfig,
+
++		DisableIdentity:  opt.DisableIdentity,
+ 		DisableIndentity: opt.DisableIndentity,
+-		IdentitySuffix:   opt.IdentitySuffix,
++
++		IdentitySuffix: opt.IdentitySuffix,
+ 	}
+ }
+
+diff --git a/vendor/github.com/redis/go-redis/v9/universal.go b/vendor/github.com/redis/go-redis/v9/universal.go
+index 275bef3d..30aae0bc 100644
+--- a/vendor/github.com/redis/go-redis/v9/universal.go
++++ b/vendor/github.com/redis/go-redis/v9/universal.go
+@@ -61,13 +61,23 @@ type UniversalOptions struct {
+ 	RouteByLatency bool
+ 	RouteRandomly  bool
+
+-	// The sentinel master name.
+-	// Only failover clients.
+-
++	// MasterName is the sentinel master name.
++	// Only for failover clients.
+ 	MasterName string
+
++	// DisableIndentity - Disable set-lib on connect.
++	//
++	// default: false
++	//
++	// Deprecated: Use DisableIdentity instead.
+ 	DisableIndentity bool
+-	IdentitySuffix   string
++
++	// DisableIdentity is used to disable CLIENT SETINFO command on connect.
++	//
++	// default: false
++	DisableIdentity bool
++
++	IdentitySuffix string
+ }
+
+ // Cluster returns cluster options created from the universal options.
+@@ -112,6 +122,7 @@ func (o *UniversalOptions) Cluster() *ClusterOptions {
+
+ 		TLSConfig: o.TLSConfig,
+
++		DisableIdentity:  o.DisableIdentity,
+ 		DisableIndentity: o.DisableIndentity,
+ 		IdentitySuffix:   o.IdentitySuffix,
+ 	}
+@@ -158,6 +169,7 @@ func (o *UniversalOptions) Failover() *FailoverOptions {
+
+ 		TLSConfig: o.TLSConfig,
+
++		DisableIdentity:  o.DisableIdentity,
+ 		DisableIndentity: o.DisableIndentity,
+ 		IdentitySuffix:   o.IdentitySuffix,
+ 	}
+@@ -201,6 +213,7 @@ func (o *UniversalOptions) Simple() *Options {
+
+ 		TLSConfig: o.TLSConfig,
+
++		DisableIdentity:  o.DisableIdentity,
+ 		DisableIndentity: o.DisableIndentity,
+ 		IdentitySuffix:   o.IdentitySuffix,
+ 	}
+-- 
+2.34.1