airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ash Berlin-Taylor <...@apache.org>
Subject CVE-2018-20245: Apache Airflow LDAP auth backend did not validate SSL certificate for <= 1.10.0
Date Tue, 08 Jan 2019 22:31:58 GMT
CVE-2018-20245: LDAP auth backend did not validate SSL certificate for 
Apache Airflow <= 1.10.0

Vendor: The Apache Software Foundation

Versions Affected: <= 1.10.0

Description:
The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) was 
misconfigured and contained improper checking of exceptions which 
disabled server certificate checking.

Apache Airflow 1.10.1+ now only supports TLS connections and does not 
support insecure connections to LDAP servers any more. (Self-signed 
certificates are allowed if you pass in the expected server certificate 
as the "cacert" option under the "[ldap]" section of the config.)

Credit:
This issue was discovered by Stijn van Drongelen

Thanks,
Ash Berlin-Taylor

Mime
View raw message