Halaman utama Jelajahi Bantuan
Masuk
yangck
/
celery
1
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Pohon: 5667676291
Ranting Tag
celery
/
docs
/
sec
/
CELERYSA-0001.txt

CELERYSA-0001.txt 2.5 KB
Riwayat Mentahan

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182 
  1. =========================================
    2. 

  2.  CELERYSA-0001: Celery Security Advisory
    3. 

  3. =========================================
    4. 

  4. :contact: security@celeryproject.org
    5. 

  5. :author: Ask Solem
    6. 

  6. :date: 2011-11-25 04:35:00 P.M GMT
    7. 

  7. 

  8. Details
    9. 

  9. =======
    10. 

  10. 

  11. :package: celery
    12. 

  12. :vulnerability: privilege escalation
    13. 

  13. :problem type: local
    14. 

  14. :risk: medium
    15. 

  15. :bug-no: Celery #544
    16. 

  16. :versions-affected: 2.1, 2.2, 2.3, 2.4
    17. 

  17. 

  18. Description
    19. 

  19. ===========
    20. 

  20. 

  21. The ``--uid`` and ``--gid`` arguments to the ``celeryd-multi``,
    22. 

  22. ``celeryd_detach``, ``celerybeat``, ``celeryev`` programs shipped
    23. 

  23. with Celery versions 2.1 and later was not handled properly
    24. 

  24. in that only the effective user was changed, and the real id remained
    25. 

  25. unchanged.
    26. 

  26. 

  27. In practice for affected users the vulnerability means that malicious code
    28. 

  28. loaded in the worker process would be allowed to escalate privileges.
    29. 

  29. 

  30. We take this issue seriously since the Pickle serializer used by
    31. 

  31. default makes it possible to execute arbitrary code.
    32. 

  32. 

  33. We recommend that users takes steps to secure their systems so that
    34. 

  34. malicious users cannot abuse the message broker to send messages,
    35. 

  35. or disable the pickle serializer used in Celery so that arbitrary code
    36. 

  36. execution is not possible.
    37. 

  37. 

  38. Patches are now
    39. 

  39. available to affected version series still maintained (see below).
    40. 

  40. 

  41. System affected
    42. 

  42. ===============
    43. 

  43. 

  44. Users of Celery versions 2.1, 2.2, 2.3, 2.4 except the recently
    45. 

  45. released 2.2.8, 2.3.4 and 2.4.4, daemonizing the celery programs
    46. 

  46. as the root user using either:
    47. 

  47.     1) the --uid or --gid arguments set,
    48. 

  48.  or 2) the provided generic init scripts with the environment variables
    49. 

  49.        CELERYD_USER or CELERYD_GROUP defined,
    50. 

  50. are affected.
    51. 

  51. 

  52. Users using the Debian init scripts, CentOS init scripts, OS X launchctl
    53. 

  53. scripts, Supervisor, or users not starting the programs as the root user
    54. 

  54. are *not* affected.
    55. 

  55. 

  56. Solution
    57. 

  57. ========
    58. 

  58. 

  59. Users of the 2.4 series should upgrade to 2.4.4:
    60. 

  60. 

  61.     * ``pip install -U celery``, or
    62. 

  62.     * ``easy_install -U celery``, or
    63. 

  63.     * http://pypi.python.org/pypi/celery/2.4.4
    64. 

  64. 

  65. Users of the 2.3 series should upgrade to 2.3.4:
    66. 

  66. 

  67.     * ``pip install -U celery==2.3.4``, or
    68. 

  68.     * ``easy_install -U celery==2.3.4``, or
    69. 

  69.     * http://pypi.python.org/pypi/celery/2.3.4
    70. 

  70. 

  71. Users of the 2.2 series should upgrade to 2.2.8:
    72. 

  72. 

  73.     * ``pip install -U celery==2.2.8``, or
    74. 

  74.     * ``easy_install -U celery==2.2.8``, or
    75. 

  75.     * http://pypi.python.org/pypi/celery/2.2.8
    76. 

  76. 

  77. The 2.1 series is no longer being maintained, so we urge users
    78. 

  78. of that series to upgrade to a more recent version.
    79. 

  79. 

  80. Distribution package maintainers are urged to provide their users
    81. 

  81. with updated packages.
    82. 

  82.