|
@@ -18,10 +18,10 @@ Details
|
|
|
Description
|
|
Description
|
|
|
===========
|
|
===========
|
|
|
|
|
|
|
|
-The ``--uid`` and ``--gid`` arguments to the ``celeryd-multi``,
|
|
|
|
|
-``celeryd_detach``, ``celerybeat``, ``celeryev`` programs shipped
|
|
|
|
|
-with Celery versions 2.1 and later was not handled properly
|
|
|
|
|
-in that only the effective user was changed, and the real id remained
|
|
|
|
|
|
|
+The --uid and --gid arguments to the celeryd-multi,
|
|
|
|
|
+celeryd_detach, celerybeat and celeryev programs shipped
|
|
|
|
|
+with Celery versions 2.1 and later was not handled properly:
|
|
|
|
|
+only the effective user was changed, with the real id remaining
|
|
|
unchanged.
|
|
unchanged.
|
|
|
|
|
|
|
|
In practice for affected users the vulnerability means that malicious code
|
|
In practice for affected users the vulnerability means that malicious code
|
|
@@ -35,17 +35,18 @@ malicious users cannot abuse the message broker to send messages,
|
|
|
or disable the pickle serializer used in Celery so that arbitrary code
|
|
or disable the pickle serializer used in Celery so that arbitrary code
|
|
|
execution is not possible.
|
|
execution is not possible.
|
|
|
|
|
|
|
|
-Patches are now
|
|
|
|
|
-available to affected version series still maintained (see below).
|
|
|
|
|
|
|
+Patches are now available for all maintained versions (see below),
|
|
|
|
|
+and users are urged to upgrade, even if not directly
|
|
|
|
|
+affected.
|
|
|
|
|
|
|
|
-System affected
|
|
|
|
|
-===============
|
|
|
|
|
|
|
+Systems affected
|
|
|
|
|
+================
|
|
|
|
|
|
|
|
Users of Celery versions 2.1, 2.2, 2.3, 2.4 except the recently
|
|
Users of Celery versions 2.1, 2.2, 2.3, 2.4 except the recently
|
|
|
released 2.2.8, 2.3.4 and 2.4.4, daemonizing the celery programs
|
|
released 2.2.8, 2.3.4 and 2.4.4, daemonizing the celery programs
|
|
|
-as the root user using either:
|
|
|
|
|
- 1) the --uid or --gid arguments set,
|
|
|
|
|
- or 2) the provided generic init scripts with the environment variables
|
|
|
|
|
|
|
+as the root user, using either:
|
|
|
|
|
+ 1) the --uid or --gid arguments, or
|
|
|
|
|
+ 2) the provided generic init scripts with the environment variables
|
|
|
CELERYD_USER or CELERYD_GROUP defined,
|
|
CELERYD_USER or CELERYD_GROUP defined,
|
|
|
are affected.
|
|
are affected.
|
|
|
|
|
|
|
@@ -80,3 +81,12 @@ of that series to upgrade to a more recent version.
|
|
|
Distribution package maintainers are urged to provide their users
|
|
Distribution package maintainers are urged to provide their users
|
|
|
with updated packages.
|
|
with updated packages.
|
|
|
|
|
|
|
|
|
|
+
|
|
|
|
|
+Please direct questions to the celery-users mailing-list:
|
|
|
|
|
+http://groups.google.com/group/celery-users/,
|
|
|
|
|
+
|
|
|
|
|
+or if you are planning to report a security issue we request that
|
|
|
|
|
+you keep the information confidential by contacting
|
|
|
|
|
+security@celeryproject.org, so that a fix can be issued as quickly as possible.
|
|
|
|
|
+
|
|
|
|
|
+Thank you!
|
Ask Solem