v0.5.15

[nevans]

What's Changed

This release fixes several more security vulnerabilities which are related to the fixes in v0.5.14.

• (moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8)
  This vulnerability depends how the server interprets non-synchronizing literals.
  The connection is not vulnerable if the server supports non-synchronizing literals.
  • 🥅 Validate non-synchronizing literals support by @nevans in 🍒 Backport v0.6.4.1 security patches to v0.5 #703 (backports 🥅 Validate non-synchronizing literals support #701)
• (moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
  • 🥅 Validate ID values contain only valid bytes by @nevans in 🍒 Backport v0.6.4.1 security patches to v0.5 #703 (backports 🥅 Validate ID values contain only valid bytes #698)
  • 🥅 Validate #enable arguments are all atoms by @nevans in 🍒 Backport v0.6.4.1 security patches to v0.5 #703 (backport 🥅 Validate #enable arguments are all atoms #699)
    NOTE: #enable should never be called with untrusted input.
• (low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66)
  This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
  • Reported by @fg0x0
  • 🐛 Prevent trailing {0} in RawData validation by @nevans in 🍒 Backport v0.6.4.1 security patches to v0.5 #703 (backports 🐛 Prevent trailing {0} in RawData validation #700)

Fixed

• 🥅 Validate that Atom and Flag are not empty by @nevans in 🥅 Validate that Atom and Flag are not empty (backports #684) #685 (backports 🥅 Validate that Atom and Flag are not empty #684)
• 🧵 Fix deadlock in #disconnect by @nevans in 🍒 Backports #686 to v0.5: 🧵 Fix deadlock in #disconnect #697 (backports 🧵 Fix deadlock in #disconnect #686)

Documentation

• ⚠️ Boost visibility of raw data argument documentation warnings by @nevans in 🍒 Backports #675, #676, #677, #678, #679, #681 to v0.5 #696 (backports ⚠️ Boost visibility of raw data argument documentation warnings #677)

Other Changes

• 🏷️ Allow 64-bit Integer arguments in 🍒 Backports #675, #676, #677, #678, #679, #681 to v0.5 #696 (backports 🏷 Allow 64-bit Integer arguments #675)
• 🥅 Ensure send_number_data input is an Integer in 🍒 Backports #675, #676, #677, #678, #679, #681 to v0.5 #696 (backports 🥅 Ensure send_number_data input is an Integer #676)
• ♻️ Improve RawData.new, Add RawData.split by @nevans in 🍒 Backports #675, #676, #677, #678, #679, #681 to v0.5 #696 (backports ♻️ Improve RawData.new, Add RawData.split #679)
• 🥅 Validate response literal byte size format by @nevans in 🍒 Backports #675, #676, #677, #678, #679, #681 to v0.5 #696 (backports 🥅 Validate response literal byte size format #681)

Miscellaneous

• ✅ Improvements to tests' FakeServer in 🍒 Backports #675, #676, #677, #678, #679, #681 to v0.5 #696 (backports ✅ Improvements to tests' FakeServer #678)

Full Changelog: v0.5.14...v0.5.15

---

This discussion was created from the release v0.5.15.