You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@airflow.apache.org by Jed Cunningham <je...@apache.org> on 2022/09/20 19:07:45 UTC

CVE fixes in Airflow 2.4.0 and Airflow 2.3.4

Hello everyone,

Airflow 2.4.0 and 2.3.4 contain fixes for the following CVEs (more details
on the dev list links).

Airflow 2.4.0:

CVE-2022-40754: Open Redirect
https://lists.apache.org/thread/cn098dcp5x3c402xrb06p3l7nz5goffm

CVE-2022-40604: Format String Vulnerability
https://lists.apache.org/thread/z20x8m16fnhxdkoollv53w1ybsts687t

Airflow 2.3.4 (fixes are also in Airflow 2.4.0):

CVE-2022-38054: Session Fixation
https://lists.apache.org/thread/rsd3h89xdp16rg0ltovx3m7q3ypkxsbb

CVE-2022-38170: Overly permissive umask for daemons
https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv

Thanks,
Jed