Date: Tue, 8 Jan 2019 22:31:58 +0000 From: Ash Berlin-Taylor <ash@...che.org> To: dev@...flow.apache.org, Apache Security Team <security@...che.org>, oss-security@...ts.openwall.com Cc: Stijn van Drongelen <rhymoid@...il.com> Subject: CVE-2018-20245: Apache Airflow LDAP auth backend did not validate SSL certificate for <= 1.10.0 CVE-2018-20245: LDAP auth backend did not validate SSL certificate for Apache Airflow <= 1.10.0 Vendor: The Apache Software Foundation Versions Affected: <= 1.10.0 Description: The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) was misconfigured and contained improper checking of exceptions which disabled server certificate checking. Apache Airflow 1.10.1+ now only supports TLS connections and does not support insecure connections to LDAP servers any more. (Self-signed certificates are allowed if you pass in the expected server certificate as the "cacert" option under the "[ldap]" section of the config.) Credit: This issue was discovered by Stijn van Drongelen Thanks, Ash Berlin-Taylor
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.