Date: Fri, 2 Sep 2022 20:43:01 +0000 From: Seth Arnold <seth.arnold@...onical.com> To: Jedidiah Cunningham <jedcunningham@...che.org> Cc: oss-security@...ts.openwall.com Subject: Re: CVE-2022-38170: Apache Airflow: Overly permissive umask for deamons On Fri, Sep 02, 2022 at 03:55:07AM +0000, Jedidiah Cunningham wrote: > In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--deamon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. Hello Jedidiah, Thanks for contributing to the oss-security list; I believe your contributions would be far more valuable if they included some further details -- providing links to issues and commits is common, but you could also include the details in the email if that's easier for whatever reason. Thanks Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.