oss-security - Re: CVE-2022-38170: Apache Airflow: Overly permissive umask for deamons

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Tue, 20 Sep 2022 13:56:47 -0600
From: Jed Cunningham <jedcunningham@...che.org>
To: Jedidiah Cunningham <jedcunningham@...che.org>, oss-security@...ts.openwall.com
Subject: Re: CVE-2022-38170: Apache Airflow: Overly permissive
 umask for deamons

Hi Seth,

Thanks for the feedback, and I agree. We will start adding links to the PR
fixing the issue going forward, starting with our announcements today.

Thanks,
Jed

On Fri, Sep 2, 2022, 2:43 PM Seth Arnold <seth.arnold@...onical.com> wrote:

> On Fri, Sep 02, 2022 at 03:55:07AM +0000, Jedidiah Cunningham wrote:
> > In Apache Airflow prior to 2.3.4, an insecure umask was configured for
> numerous Airflow components when running with the  `--deamon` flag which
> could result in a race condition giving world-writable files in the Airflow
> home directory and allowing local users to expose arbitrary file contents
> via the webserver.
>
> Hello Jedidiah,
>
> Thanks for contributing to the oss-security list; I believe your
> contributions would be far more valuable if they included some further
> details -- providing links to issues and commits is common, but you could
> also include the details in the email if that's easier for whatever reason.
>
> Thanks
>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.