|
|
@@ -0,0 +1,82 @@
|
|
|
+=========================================
|
|
|
+ CELERYSA-0001: Celery Security Advisory
|
|
|
+=========================================
|
|
|
+:contact: security@celeryproject.org
|
|
|
+:author: Ask Solem
|
|
|
+:date: 2011-11-25 04:35:00 P.M GMT
|
|
|
+
|
|
|
+Details
|
|
|
+=======
|
|
|
+
|
|
|
+:package: celery
|
|
|
+:vulnerability: privilege escalation
|
|
|
+:problem type: local
|
|
|
+:risk: medium
|
|
|
+:bug-no: Celery #544
|
|
|
+:versions-affected: 2.1, 2.2, 2.3, 2.4
|
|
|
+
|
|
|
+Description
|
|
|
+===========
|
|
|
+
|
|
|
+The ``--uid`` and ``--gid`` arguments to the ``celeryd-multi``,
|
|
|
+``celeryd_detach``, ``celerybeat``, ``celeryev`` programs shipped
|
|
|
+with Celery versions 2.1 and later was not handled properly
|
|
|
+in that only the effective user was changed, and the real id remained
|
|
|
+unchanged.
|
|
|
+
|
|
|
+In practice for affected users the vulnerability means that malicious code
|
|
|
+loaded in the worker process would be allowed to escalate privileges.
|
|
|
+
|
|
|
+We take this issue seriously since the Pickle serializer used by
|
|
|
+default makes it possible to execute arbitrary code.
|
|
|
+
|
|
|
+We recommend that users takes steps to secure their systems so that
|
|
|
+malicious users cannot abuse the message broker to send messages,
|
|
|
+or disable the pickle serializer used in Celery so that arbitrary code
|
|
|
+execution is not possible.
|
|
|
+
|
|
|
+Patches are now
|
|
|
+available to affected version series still maintained (see below).
|
|
|
+
|
|
|
+System affected
|
|
|
+===============
|
|
|
+
|
|
|
+Users of Celery versions 2.1, 2.2, 2.3, 2.4 except the recently
|
|
|
+released 2.2.8, 2.3.4 and 2.4.4, daemonizing the celery programs
|
|
|
+as the root user using either:
|
|
|
+ 1) the --uid or --gid arguments set,
|
|
|
+ or 2) the provided generic init scripts with the environment variables
|
|
|
+ CELERYD_USER or CELERYD_GROUP defined,
|
|
|
+are affected.
|
|
|
+
|
|
|
+Users using the Debian init scripts, CentOS init scripts, OS X launchctl
|
|
|
+scripts, Supervisor, or users not starting the programs as the root user
|
|
|
+are *not* affected.
|
|
|
+
|
|
|
+Solution
|
|
|
+========
|
|
|
+
|
|
|
+Users of the 2.4 series should upgrade to 2.4.4:
|
|
|
+
|
|
|
+ * ``pip install -U celery``, or
|
|
|
+ * ``easy_install -U celery``, or
|
|
|
+ * http://pypi.python.org/pypi/celery/2.4.4
|
|
|
+
|
|
|
+Users of the 2.3 series should upgrade to 2.3.4:
|
|
|
+
|
|
|
+ * ``pip install -U celery==2.3.4``, or
|
|
|
+ * ``easy_install -U celery==2.3.4``, or
|
|
|
+ * http://pypi.python.org/pypi/celery/2.3.4
|
|
|
+
|
|
|
+Users of the 2.2 series should upgrade to 2.2.8:
|
|
|
+
|
|
|
+ * ``pip install -U celery==2.2.8``, or
|
|
|
+ * ``easy_install -U celery==2.2.8``, or
|
|
|
+ * http://pypi.python.org/pypi/celery/2.2.8
|
|
|
+
|
|
|
+The 2.1 series is no longer being maintained, so we urge users
|
|
|
+of that series to upgrade to a more recent version.
|
|
|
+
|
|
|
+Distribution package maintainers are urged to provide their users
|
|
|
+with updated packages.
|
|
|
+
|
Ask Solem