Home Explore Help
Sign In
yangck
/
celery
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Wording

Ask Solem 14 years ago
parent
3eac5ed244
commit
445ec4a8c6
1 changed files with 21 additions and 11 deletions
Split View Show Diff Stats
  1. 21 11
      docs/sec/CELERYSA-0001.txt

+ 21 - 11
docs/sec/CELERYSA-0001.txt
View File 

@@ -18,10 +18,10 @@ Details
 
 Description
 
 ===========
 
 
-The ``--uid`` and ``--gid`` arguments to the ``celeryd-multi``,
 
-``celeryd_detach``, ``celerybeat``, ``celeryev`` programs shipped
 
-with Celery versions 2.1 and later was not handled properly
 
-in that only the effective user was changed, and the real id remained
 
+The --uid and --gid arguments to the celeryd-multi,
 
+celeryd_detach, celerybeat and celeryev programs shipped
 
+with Celery versions 2.1 and later was not handled properly:
 
+only the effective user was changed, with the real id remaining
 
 unchanged.
 
 
 In practice for affected users the vulnerability means that malicious code
 
@@ -35,17 +35,18 @@ malicious users cannot abuse the message broker to send messages,
 
 or disable the pickle serializer used in Celery so that arbitrary code
 
 execution is not possible.
 
 
-Patches are now
 
-available to affected version series still maintained (see below).
 
+Patches are now available for all maintained versions (see below),
 
+and users are urged to upgrade, even if not directly
 
+affected.
 
 
-System affected
 
-===============
 
+Systems affected
 
+================
 
 
 Users of Celery versions 2.1, 2.2, 2.3, 2.4 except the recently
 
 released 2.2.8, 2.3.4 and 2.4.4, daemonizing the celery programs
 
-as the root user using either:
 
-    1) the --uid or --gid arguments set,
 
- or 2) the provided generic init scripts with the environment variables
 
+as the root user, using either:
 
+    1) the --uid or --gid arguments, or
 
+    2) the provided generic init scripts with the environment variables
 
        CELERYD_USER or CELERYD_GROUP defined,
 
 are affected.
 
 
@@ -80,3 +81,12 @@ of that series to upgrade to a more recent version.
 
 Distribution package maintainers are urged to provide their users
 
 with updated packages.
 
 
+
 
+Please direct questions to the celery-users mailing-list:
 
+http://groups.google.com/group/celery-users/,
 
+
 
+or if you are planning to report a security issue we request that
 
+you keep the information confidential by contacting
 
+security@celeryproject.org, so that a fix can be issued as quickly as possible.
 
+
 
+Thank you!