Date: Tue, 20 Sep 2022 13:56:47 -0600 From: Jed Cunningham <jedcunningham@...che.org> To: Jedidiah Cunningham <jedcunningham@...che.org>, oss-security@...ts.openwall.com Subject: Re: CVE-2022-38170: Apache Airflow: Overly permissive umask for deamons Hi Seth, Thanks for the feedback, and I agree. We will start adding links to the PR fixing the issue going forward, starting with our announcements today. Thanks, Jed On Fri, Sep 2, 2022, 2:43 PM Seth Arnold <seth.arnold@...onical.com> wrote: > On Fri, Sep 02, 2022 at 03:55:07AM +0000, Jedidiah Cunningham wrote: > > In Apache Airflow prior to 2.3.4, an insecure umask was configured for > numerous Airflow components when running with the `--deamon` flag which > could result in a race condition giving world-writable files in the Airflow > home directory and allowing local users to expose arbitrary file contents > via the webserver. > > Hello Jedidiah, > > Thanks for contributing to the oss-security list; I believe your > contributions would be far more valuable if they included some further > details -- providing links to issues and commits is common, but you could > also include the details in the email if that's easier for whatever reason. > > Thanks >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.