Página Principal Explorar Ajuda
Iniciar Sessão
yangck
/
celery
1
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ramo: master
Ramos Etiquetas
celery
/
docs
/
sec
/
CELERYSA-0002.txt

CELERYSA-0002.txt 2.6 KB
Link permanente Histórico Em bruto

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990 
  1. =========================================
    2. 

  2.  CELERYSA-0002: Celery Security Advisory
    3. 

  3. =========================================
    4. 

  4. :contact: security@celeryproject.org
    5. 

  5. :CVE id: TBA
    6. 

  6. :date: 2014-07-10 05:00:00 p.m. UTC
    7. 

  7. 

  8. Details
    9. 

  9. =======
    10. 

  10. 

  11. :package: celery
    12. 

  12. :vulnerability: Environment error
    13. 

  13. :problem type: local
    14. 

  14. :risk: low
    15. 

  15. :versions-affected: 2.5, 3.0, 3.1
    16. 

  16. 

  17. Description
    18. 

  18. ===========
    19. 

  19. 

  20. The built-in utility used to daemonize the Celery worker service sets
    21. 

  21. an insecure umask by default (umask 0).
    22. 

  22. 

  23. This means that any files or directories created by the worker will
    24. 

  24. end up having world-writable permissions.
    25. 

  25. 

  26. In practice this means that local users will be able to modify and possibly
    27. 

  27. corrupt the files created by user tasks.
    28. 

  28. 

  29. This isn't immediately exploitable but can be if those files are later
    30. 

  30. evaluated as a program, for example a task that creates Python program files
    31. 

  31. that are later executed.
    32. 

  32. 

  33. Patches are now available for all maintained versions (see below),
    34. 

  34. and users are urged to upgrade, even if not directly
    35. 

  35. affected.
    36. 

  36. 

  37. Acknowledgments
    38. 

  38. ===============
    39. 

  39. 

  40. Special thanks to Red Hat for originally discovering and reporting the issue.
    41. 

  41. 

  42. Systems affected
    43. 

  43. ================
    44. 

  44. 

  45. Users of Celery versions 3.0, and 3.1, except the recently
    46. 

  46. released 3.1.13, are affected if daemonizing the
    47. 

  47. Celery programs using the `--detach` argument or using the `celery multi` program
    48. 

  48. to start workers in the background, without setting a custom `--umask`
    49. 

  49. argument.
    50. 

  50. 

  51. Solution
    52. 

  52. ========
    53. 

  53. 

  54. NOTE:
    55. 

  55.     Not all users of Celery will use it to create files, but if you do
    56. 

  56.     then files may already have been created with insecure permissions.
    57. 

  57. 

  58.     So after upgrading, or using the workaround, then please make sure
    59. 

  59.     that files already created aren't world writable.
    60. 

  60. 

  61. To work around the issue you can set a custom umask using the ``--umask``
    62. 

  62. argument:
    63. 

  63. 

  64.     $ celery worker -l info --detach --umask=18   # (022)
    65. 

  65. 

  66. Or you can upgrade to a more recent version:
    67. 

  67. 

  68. - Users of the 3.1 series should upgrade to 3.1.13:
    69. 

  69. 

  70.     * ``pip install -U celery``, or
    71. 

  71.     * ``easy_install -U celery``, or
    72. 

  72.     * https://pypi.org/project/celery/3.1.13/
    73. 

  73. 

  74. - Users of the 3.0 series should upgrade to 3.0.25:
    75. 

  75. 

  76.     * ``pip install -U celery==3.0.25``, or
    77. 

  77.     * ``easy_install -U celery==3.0.25``, or
    78. 

  78.     * https://pypi.org/project/celery/3.0.25/
    79. 

  79. 

  80. Distribution package maintainers are urged to provide their users
    81. 

  81. with updated packages.
    82. 

  82. 

  83. Please direct questions to the celery-users mailing-list:
    84. 

  84. https://groups.google.com/group/celery-users/,
    85. 

  85. 

  86. or if you're planning to report a new security related issue we request that
    87. 

  87. you keep the information confidential by contacting
    88. 

  88. security@celeryproject.org instead.
    89. 

  89. 

  90. Thank you!
    91.