123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990 |
- =========================================
- CELERYSA-0002: Celery Security Advisory
- =========================================
- :contact: security@celeryproject.org
- :CVE id: TBA
- :date: 2014-07-10 05:00:00 p.m. UTC
- Details
- =======
- :package: celery
- :vulnerability: Environment error
- :problem type: local
- :risk: low
- :versions-affected: 2.5, 3.0, 3.1
- Description
- ===========
- The built-in utility used to daemonize the Celery worker service sets
- an insecure umask by default (umask 0).
- This means that any files or directories created by the worker will
- end up having world-writable permissions.
- In practice this means that local users will be able to modify and possibly
- corrupt the files created by user tasks.
- This isn't immediately exploitable but can be if those files are later
- evaluated as a program, for example a task that creates Python program files
- that are later executed.
- Patches are now available for all maintained versions (see below),
- and users are urged to upgrade, even if not directly
- affected.
- Acknowledgments
- ===============
- Special thanks to Red Hat for originally discovering and reporting the issue.
- Systems affected
- ================
- Users of Celery versions 3.0, and 3.1, except the recently
- released 3.1.13, are affected if daemonizing the
- Celery programs using the `--detach` argument or using the `celery multi` program
- to start workers in the background, without setting a custom `--umask`
- argument.
- Solution
- ========
- NOTE:
- Not all users of Celery will use it to create files, but if you do
- then files may already have been created with insecure permissions.
- So after upgrading, or using the workaround, then please make sure
- that files already created aren't world writable.
- To work around the issue you can set a custom umask using the ``--umask``
- argument:
- $ celery worker -l info --detach --umask=18 # (022)
- Or you can upgrade to a more recent version:
- - Users of the 3.1 series should upgrade to 3.1.13:
- * ``pip install -U celery``, or
- * ``easy_install -U celery``, or
- * https://pypi.python.org/pypi/celery/3.1.13
- - Users of the 3.0 series should upgrade to 3.0.25:
- * ``pip install -U celery==3.0.25``, or
- * ``easy_install -U celery==3.0.25``, or
- * https://pypi.python.org/pypi/celery/3.0.25
- Distribution package maintainers are urged to provide their users
- with updated packages.
- Please direct questions to the celery-users mailing-list:
- https://groups.google.com/group/celery-users/,
- or if you're planning to report a new security related issue we request that
- you keep the information confidential by contacting
- security@celeryproject.org instead.
- Thank you!
|