Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account
Jump to bottom

Update dependency apache-airflow to v2.8.4 [SECURITY] #3974

Merged
merged 1 commit into from Mar 27, 2024
Merged

Update dependency apache-airflow to v2.8.4 [SECURITY] #3974

merged 1 commit into from Mar 27, 2024

Conversation

openverse-bot
Copy link
Collaborator

This PR contains the following updates:

Package Update Change
apache-airflow (changelog) patch ==2.8.2 -> ==2.8.4

GitHub Vulnerability Alerts

CVE-2024-28746

Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. 

Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability

CVE-2024-29735

Improper Preservation of Permissions vulnerability in Apache Airflow. This issue affects Apache Airflow from 2.8.2 through 2.8.3.

Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix group of the folders. In the case Airflow is run with the root user (not recommended) it added group write permission to all folders up to the root of the filesystem.

If your log files are stored in the home directory, these permission changes might impact your ability to run SSH operations after your home directory becomes group-writeable.

This issue does not affect users who use or extend Airflow using Official Airflow Docker reference images ( https://hub.docker.com/r/apache/airflow/ ) - those images require to have group write permission set anyway.

You are affected only if you install Airflow using local installation / virtualenv or other Docker images, but the issue has no impact if docker containers are used as intended, i.e. where Airflow components do not share containers with other applications and users.

Also you should not be affected if your umask is 002 (group write enabled) - this is the default on many linux systems.

Recommendation for users using Airflow outside of the containers:

  • if you are using root to run Airflow, change your Airflow user to use non-root
  • upgrade Apache Airflow to 2.8.4 or above
  • If you prefer not to upgrade, you can change the https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#file-task-handler-new-folder-permissions  to 0o755 (original value 0o775).
  • if you already ran Airflow tasks before and your default umask is 022 (group write disabled) you should stop Airflow components, check permissions of AIRFLOW_HOME/logs in all your components and all parent directories of this directory and remove group write access for all the parent directories

Release Notes

apache/airflow (apache-airflow)

v2.8.4

Compare Source

Significant Changes
^^^^^^^^^^^^^^^^^^^

No significant changes.

Bug Fixes
"""""""""

  • Fix incorrect serialization of FixedTimezone (#​38139)
  • Fix excessive permission changing for log task handler (#​38164)
  • Fix task instances list link (#​38096)
  • Fix a bug where scheduler heartrate parameter was not used (#​37992)
  • Add padding to prevent grid horizontal scroll overlapping tasks (#​37942)
  • Fix hash caching in ObjectStoragePath (#​37769)

Miscellaneous
"""""""""""""

  • Limit importlib_resources as it breaks pytest_rewrites (#​38095, #​38139)
  • Limit pandas to <2.2 (#​37748)
  • Bump croniter to fix an issue with 29 Feb cron expressions (#​38198)

Doc Only Changes
""""""""""""""""

  • Tell users what to do if their scanners find issues in the image (#​37652)
  • Add a section about debugging in Docker Compose with PyCharm (#​37940)
  • Update deferrable docs to clarify kwargs when trigger resumes operator (#​38122)

v2.8.3

Compare Source

Significant Changes
^^^^^^^^^^^^^^^^^^^

The smtp provider is now pre-installed when you install Airflow. (#​37713)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

Bug Fixes
"""""""""

  • Add "MENU" permission in auth manager (#​37881)
  • Fix external_executor_id being overwritten (#​37784)
  • Make more MappedOperator members modifiable (#​37828)
  • Set parsing context dag_id in dag test command (#​37606)

Miscellaneous
"""""""""""""

  • Remove useless methods from security manager (#​37889)
  • Improve code coverage for TriggerRuleDep (#​37680)
  • The SMTP provider is now preinstalled when installing Airflow (#​37713)
  • Bump min versions of openapi validators (#​37691)
  • Properly include airflow_pre_installed_providers.txt artifact (#​37679)

Doc Only Changes
""""""""""""""""

  • Clarify lack of sync between workers and scheduler (#​37913)
  • Simplify some docs around airflow_local_settings (#​37835)
  • Add section about local settings configuration (#​37829)
  • Fix docs of BranchDayOfWeekOperator (#​37813)
  • Write to secrets store is not supported by design (#​37814)
  • ERD generating doc improvement (#​37808)
  • Update incorrect config value (#​37706)
  • Update security model to clarify Connection Editing user's capabilities (#​37688)
  • Fix ImportError on examples dags (#​37571)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@openverse-bot openverse-bot requested a review from a team as a code owner March 27, 2024 02:11
@openverse-bot openverse-bot added dependencies Pull requests that update a dependency file 🐍 tech: python Involves Python 💻 aspect: code Concerns the software code in the repository 🟩 priority: low Low priority and doesn't need to be rushed 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🧱 stack: catalog Related to the catalog and Airflow DAGs labels Mar 27, 2024
@sarayourfriend
Copy link
Contributor

You are affected only if you install Airflow using local installation / virtualenv or other Docker images, but the issue has no impact if docker containers are used as intended, i.e. where Airflow components do not share containers with other applications and users.

This means we are not affected 🙂

@openverse-bot openverse-bot force-pushed the gha-renovatepypi-apache-airflow-vulnerability branch from 725e236 to e09de0c Compare March 27, 2024 13:06
@zackkrida
Copy link
Member

Merging, no immediate deployment is necessary as this does not impact us.

@zackkrida zackkrida merged commit 75a2e7c into main Mar 27, 2024
40 checks passed
@zackkrida zackkrida deleted the gha-renovatepypi-apache-airflow-vulnerability branch March 27, 2024 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zackkrida zackkrida zackkrida approved these changes

@obulat obulat obulat approved these changes

@krysal krysal Awaiting requested review from krysal krysal is a code owner automatically assigned from WordPress/openverse-catalog

@stacimc stacimc Awaiting requested review from stacimc stacimc is a code owner automatically assigned from WordPress/openverse-catalog

Assignees
No one assigned
Labels
💻 aspect: code Concerns the software code in the repository dependencies Pull requests that update a dependency file 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🟩 priority: low Low priority and doesn't need to be rushed 🧱 stack: catalog Related to the catalog and Airflow DAGs 🐍 tech: python Involves Python
Projects
Openverse PRs
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@openverse-bot @sarayourfriend @zackkrida @obulat