forked from celery/celery
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
21 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,10 +18,10 @@ Details | |
| Description | ||
| =========== | ||
|
|
||
| The ``--uid`` and ``--gid`` arguments to the ``celeryd-multi``, | ||
| ``celeryd_detach``, ``celerybeat``, ``celeryev`` programs shipped | ||
| with Celery versions 2.1 and later was not handled properly | ||
| in that only the effective user was changed, and the real id remained | ||
| The --uid and --gid arguments to the celeryd-multi, | ||
| celeryd_detach, celerybeat and celeryev programs shipped | ||
| with Celery versions 2.1 and later was not handled properly: | ||
| only the effective user was changed, with the real id remaining | ||
| unchanged. | ||
|
|
||
| In practice for affected users the vulnerability means that malicious code | ||
|
|
@@ -35,17 +35,18 @@ malicious users cannot abuse the message broker to send messages, | |
| or disable the pickle serializer used in Celery so that arbitrary code | ||
| execution is not possible. | ||
|
|
||
| Patches are now | ||
| available to affected version series still maintained (see below). | ||
| Patches are now available for all maintained versions (see below), | ||
| and users are urged to upgrade, even if not directly | ||
| affected. | ||
|
|
||
| System affected | ||
| =============== | ||
| Systems affected | ||
| ================ | ||
|
|
||
| Users of Celery versions 2.1, 2.2, 2.3, 2.4 except the recently | ||
| released 2.2.8, 2.3.4 and 2.4.4, daemonizing the celery programs | ||
| as the root user using either: | ||
| 1) the --uid or --gid arguments set, | ||
| or 2) the provided generic init scripts with the environment variables | ||
| as the root user, using either: | ||
| 1) the --uid or --gid arguments, or | ||
| 2) the provided generic init scripts with the environment variables | ||
| CELERYD_USER or CELERYD_GROUP defined, | ||
| are affected. | ||
|
|
||
|
|
@@ -80,3 +81,12 @@ of that series to upgrade to a more recent version. | |
| Distribution package maintainers are urged to provide their users | ||
| with updated packages. | ||
|
|
||
|
|
||
| Please direct questions to the celery-users mailing-list: | ||
| http://groups.google.com/group/celery-users/, | ||
|
|
||
| or if you are planning to report a security issue we request that | ||
| you keep the information confidential by contacting | ||
| [email protected], so that a fix can be issued as quickly as possible. | ||
|
|
||
| Thank you! | ||