You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/04/28 10:31:48 UTC
[GitHub] [airflow] CoburnJoe opened a new issue #15570: Gunicorn dependency request smuggling vulnerability
CoburnJoe opened a new issue #15570:
URL: https://github.com/apache/airflow/issues/15570
Hi team!
My organisation is using Airflow, and right now we are unable to comply with our security policies or use our standard build pipeline due to an insecure dependency version (Gunicorn) specified by Airflow. I've messaged the security@ email address, but as this is already a public vulnerability in Gunicorn, and not a proven exploit in Airflow, I was directed over here.
Gunicorn request smuggling vulnerability.
CVSS: https://snyk.io/vuln/SNYK-PYTHON-GUNICORN-541164
Steps to replicate
- Install Airflow
- Use Pipenv or Safety Python packages to run a dependency check (pipenv check or safety check) - Airflow fails because Gunicorn is running an older version with a known vulnerability:
40104: gunicorn <20.0.1 resolved (19.10.0 installed)!
Gunicorn 20.0.1 fixes chunked encoding support to prevent any request smuggling for security purposes.
This issue is patched in Gunicorn 20.0.1 or higher. Your setup file specifies gunicorn>=19.5.0, <20.0 https://github.com/apache/airflow/blob/47cbff9ce06a927c318ec77b32d79876b6828071/setup.cfg#L102
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] CoburnJoe commented on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
CoburnJoe commented on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-830858847
> @CoburnJoe -> Airflow master is at Gunicorn 20.1 now (#15611). Next release should use it.
Fantastic - thank you! 🎉
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] CoburnJoe commented on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
CoburnJoe commented on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828399257
Thanks for the quick reply - I'll do some more digging :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk edited a comment on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
potiuk edited a comment on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828701685
As explained in the thread you started, i will look into reasoning why we are using gunicorn < 20. It is strange to find that 1.10 uses > 20 it already :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828374921
Closing as invalid.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828382569
Gunicorn 19.10.0 (not 19.9.10) was properly released to PyPI: https://pypi.org/project/gunicorn/19.10.0/
I see no reason to disbelive Gunicorn maintainers when they are releasing to PyPI. If you have any doubts, please open an issue in Gunicorn repo (with reference to this issue). I am happy to reopen the issue if your doubts are verified, but we will not actively pursue it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] CoburnJoe commented on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
CoburnJoe commented on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828378876
@potiuk 19.9.10 has a failing build:
https://pypi.org/project/gunicorn/19.10.0/
https://travis-ci.org/github/benoitc/gunicorn/jobs/768410265
And is not listed under the GitHub releases - which go from 19.9.0 to 20.0 https://github.com/benoitc/gunicorn/releases
If I have to dig through other projects I'm happy to do so, but from my view, there are only a few possible options:
- 19.9.10 wasn't a proper release/was released breaking then immediately fixed
- The pipenv/safety database is out of date (which seems unlikely, as `pipenv check` maintains its own database updated once a month, and these releases range from July 2018 to November 2019)
- This isn't a problem at all
I'm happy to commit the upgrade myself if required, but I'm not too versed in the Airflow projects specifics and lockfiles.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828346976
Thanks for opening your first issue here! Be sure to follow the issue template!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-830200965
@CoburnJoe -> Airflow master is at Gunicorn 20.1 now (https://github.com/apache/airflow/pull/15611). Next release should use it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk edited a comment on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
potiuk edited a comment on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828701685
As explained in the thread you started, i will look into reasoning why we are using gunicorn < 20. It is strange to find that 1.10 uses > 20 already :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] CoburnJoe commented on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
CoburnJoe commented on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828369374
> The ticket states the vulnerability is also fixed in 19.10.0 or higher.
That is an inaccuracy in the CVE - 20.0.1 is when the fix arrived: https://github.com/benoitc/gunicorn/releases/tag/20.0.2
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk closed issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
potiuk closed issue #15570:
URL: https://github.com/apache/airflow/issues/15570
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828373745
> That is an inaccuracy in the CVE - 20.0.1 is when the fix arrived: https://github.com/benoitc/gunicorn/releases/tag/20.0.2
Not reallly. The CVE is correct. The fix has been backported to 19.10.0 : https://github.com/benoitc/gunicorn/commit/93220898f523fa1098f3ee467f6f48530c9f5fbe
You can see it when you take a look at differences between 19.9.0 and 19.10.0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk edited a comment on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
potiuk edited a comment on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828373745
> That is an inaccuracy in the CVE - 20.0.1 is when the fix arrived: https://github.com/benoitc/gunicorn/releases/tag/20.0.2
Not reallly. The CVE is correct. The fix has been backported to 19.10.0 : https://github.com/benoitc/gunicorn/commit/93220898f523fa1098f3ee467f6f48530c9f5fbe
You can see it when you take a look at differences between 19.9.0 and 19.10.0
https://github.com/benoitc/gunicorn/compare/19.9.0...19.10.0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] uranusjr commented on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
uranusjr commented on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828366597
The ticket states the vulnerability is also fixed in 19.10.0 or higher.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #15570: Gunicorn dependency request smuggling vulnerability
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #15570:
URL: https://github.com/apache/airflow/issues/15570#issuecomment-828701685
As explained in the thread you started, i will look into reasoning why we are using gunicorn < 20. It is strange to find that 1.10 uses it already :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org