CELERYSA-0002.txt 2.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990
  1. =========================================
  2. CELERYSA-0002: Celery Security Advisory
  3. =========================================
  4. :contact: security@celeryproject.org
  5. :CVE id: TBA
  6. :date: 2014-07-10 05:00:00 p.m. UTC
  7. Details
  8. =======
  9. :package: celery
  10. :vulnerability: Environment error
  11. :problem type: local
  12. :risk: low
  13. :versions-affected: 2.5, 3.0, 3.1
  14. Description
  15. ===========
  16. The built-in utility used to daemonize the Celery worker service sets
  17. an insecure umask by default (umask 0).
  18. This means that any files or directories created by the worker will
  19. end up having world-writable permissions.
  20. In practice this means that local users will be able to modify and possibly
  21. corrupt the files created by user tasks.
  22. This isn't immediately exploitable but can be if those files are later
  23. evaluated as a program, for example a task that creates Python program files
  24. that are later executed.
  25. Patches are now available for all maintained versions (see below),
  26. and users are urged to upgrade, even if not directly
  27. affected.
  28. Acknowledgments
  29. ===============
  30. Special thanks to Red Hat for originally discovering and reporting the issue.
  31. Systems affected
  32. ================
  33. Users of Celery versions 3.0, and 3.1, except the recently
  34. released 3.1.13, are affected if daemonizing the
  35. Celery programs using the `--detach` argument or using the `celery multi` program
  36. to start workers in the background, without setting a custom `--umask`
  37. argument.
  38. Solution
  39. ========
  40. NOTE:
  41. Not all users of Celery will use it to create files, but if you do
  42. then files may already have been created with insecure permissions.
  43. So after upgrading, or using the workaround, then please make sure
  44. that files already created aren't world writable.
  45. To work around the issue you can set a custom umask using the ``--umask``
  46. argument:
  47. $ celery worker -l info --detach --umask=18 # (022)
  48. Or you can upgrade to a more recent version:
  49. - Users of the 3.1 series should upgrade to 3.1.13:
  50. * ``pip install -U celery``, or
  51. * ``easy_install -U celery``, or
  52. * https://pypi.python.org/pypi/celery/3.1.13
  53. - Users of the 3.0 series should upgrade to 3.0.25:
  54. * ``pip install -U celery==3.0.25``, or
  55. * ``easy_install -U celery==3.0.25``, or
  56. * https://pypi.python.org/pypi/celery/3.0.25
  57. Distribution package maintainers are urged to provide their users
  58. with updated packages.
  59. Please direct questions to the celery-users mailing-list:
  60. https://groups.google.com/group/celery-users/,
  61. or if you're planning to report a new security related issue we request that
  62. you keep the information confidential by contacting
  63. security@celeryproject.org instead.
  64. Thank you!