Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 Sep 2022 20:43:01 +0000
From: Seth Arnold <seth.arnold@...onical.com>
To: Jedidiah Cunningham <jedcunningham@...che.org>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2022-38170: Apache Airflow: Overly permissive
 umask for deamons

On Fri, Sep 02, 2022 at 03:55:07AM +0000, Jedidiah Cunningham wrote:
> In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the  `--deamon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.

Hello Jedidiah,

Thanks for contributing to the oss-security list; I believe your
contributions would be far more valuable if they included some further
details -- providing links to issues and commits is common, but you could
also include the details in the email if that's easier for whatever reason.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.