New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency apache-airflow to v2.8.4 [SECURITY] #3974
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
openverse-bot added dependencies
Pull requests that update a dependency file
🐍 tech: python
Involves Python
💻 aspect: code
Concerns the software code in the repository
🟩 priority: low
Low priority and doesn't need to be rushed
🧰 goal: internal improvement
Improvement that benefits maintainers, not users
🧱 stack: catalog
Related to the catalog and Airflow DAGs
labels
Mar 27, 2024
This means we are not affected 🙂 |
openverse-bot force-pushed the gha-renovatepypi-apache-airflow-vulnerability branch from
March 27, 2024 13:06
725e236
to e09de0c
Compare
Merging, no immediate deployment is necessary as this does not impact us. |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
💻 aspect: code
Concerns the software code in the repository
dependencies
Pull requests that update a dependency file
🧰 goal: internal improvement
Improvement that benefits maintainers, not users
🟩 priority: low
Low priority and doesn't need to be rushed
🧱 stack: catalog
Related to the catalog and Airflow DAGs
🐍 tech: python
Involves Python
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2.8.2
->==2.8.4
GitHub Vulnerability Alerts
CVE-2024-28746
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.
Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
CVE-2024-29735
Improper Preservation of Permissions vulnerability in Apache Airflow. This issue affects Apache Airflow from 2.8.2 through 2.8.3.
Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix group of the folders. In the case Airflow is run with the root user (not recommended) it added group write permission to all folders up to the root of the filesystem.
If your log files are stored in the home directory, these permission changes might impact your ability to run SSH operations after your home directory becomes group-writeable.
This issue does not affect users who use or extend Airflow using Official Airflow Docker reference images ( https://hub.docker.com/r/apache/airflow/ ) - those images require to have group write permission set anyway.
You are affected only if you install Airflow using local installation / virtualenv or other Docker images, but the issue has no impact if docker containers are used as intended, i.e. where Airflow components do not share containers with other applications and users.
Also you should not be affected if your umask is 002 (group write enabled) - this is the default on many linux systems.
Recommendation for users using Airflow outside of the containers:
Release Notes
apache/airflow (apache-airflow)
v2.8.4
Compare Source
Significant Changes
^^^^^^^^^^^^^^^^^^^
No significant changes.
Bug Fixes
"""""""""
FixedTimezone
(#38139)ObjectStoragePath
(#37769)Miscellaneous
"""""""""""""
pytest_rewrites
(#38095, #38139)pandas
to<2.2
(#37748)croniter
to fix an issue with 29 Feb cron expressions (#38198)Doc Only Changes
""""""""""""""""
v2.8.3
Compare Source
Significant Changes
^^^^^^^^^^^^^^^^^^^
The smtp provider is now pre-installed when you install Airflow. (#37713)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
Bug Fixes
"""""""""
Miscellaneous
"""""""""""""
airflow_pre_installed_providers.txt
artifact (#37679)Doc Only Changes
""""""""""""""""
BranchDayOfWeekOperator
(#37813)ERD
generating doc improvement (#37808)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.