Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency apache-airflow to v2.10.1 [SECURITY] #4897

Merged
merged 1 commit into from
Sep 9, 2024
Merged

Update dependency apache-airflow to v2.10.1 [SECURITY] #4897

merged 1 commit into from
Sep 9, 2024

Conversation

openverse-bot
Copy link
Collaborator

This PR contains the following updates:

Package Update Change
apache-airflow (changelog) patch ==2.10.0 -> ==2.10.1

GitHub Vulnerability Alerts

CVE-2024-45034

Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author.
Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.

CVE-2024-45498

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

Release Notes

apache/airflow (apache-airflow)

v2.10.1: Apache Airflow 2.10.1

Compare Source

Significant Changes

No significant changes.

Bug Fixes

  • Handle Example dags case when checking for missing files (#​41874)
  • Fix logout link in "no roles" error page (#​41845)
  • Set end_date and duration for triggers completed with end_from_trigger as True. (#​41834)
  • DAGs are not marked as stale if the dags folder change (#​41829)
  • Fix compatibility with FAB provider versions <1.3.0 (#​41809)
  • Don't Fail LocalTaskJob on heartbeat (#​41810)
  • Remove deprecation warning for cgitb in Plugins Manager (#​41793)
  • Fix log for notifier(instance) without name (#​41699)
  • Splitting syspath preparation into stages (#​41694)
  • Adding url sanitization for extra links (#​41680)
  • Fix InletEventsAccessors type stub (#​41607)
  • Fix UI rendering when XCom is INT, FLOAT, BOOL or NULL (#​41605)
  • Fix try selector refresh (#​41503)
  • Incorrect try number subtraction producing invalid span id for OTEL airflow (#​41535)
  • Add WebEncoder for trigger page rendering to avoid render failure (#​41485)
  • Adding tojson filter to example_inlet_event_extra example dag (#​41890)
  • Add backward compatibility check for executors that don't inherit BaseExecutor (#​41927)

Miscellaneous

  • Bump webpack from 5.76.0 to 5.94.0 in /airflow/www (#​41879)
  • Adding rel property to hyperlinks in logs (#​41783)
  • Field Deletion Warning when editing Connections (#​41504)
  • Make Scarf usage reporting in major+minor versions and counters in buckets (#​41900)
  • Lower down universal-pathlib minimum to 0.2.2 (#​41943)
  • Protect against None components of universal pathlib xcom backend (#​41938)

Doc Only Changes

  • Remove Debian bullseye support (#​41569)
  • Add an example for auth with keycloak (#​41791)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@openverse-bot openverse-bot requested a review from a team as a code owner September 9, 2024 18:39
@openverse-bot openverse-bot added dependencies Pull requests that update a dependency file 🐍 tech: python Involves Python 💻 aspect: code Concerns the software code in the repository 🟩 priority: low Low priority and doesn't need to be rushed 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🧱 stack: catalog Related to the catalog and Airflow DAGs labels Sep 9, 2024
@openverse-bot openverse-bot requested review from AetherUnbound and stacimc and removed request for a team September 9, 2024 18:39
stacimc
stacimc approved these changes Sep 9, 2024
View reviewed changes
Copy link
Collaborator

@stacimc stacimc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI passes, and I tested the data refreshes, popularity refreshes, and a few provider DAGs. LGTM

@stacimc stacimc merged commit 17f1782 into main Sep 9, 2024
78 checks passed
@stacimc stacimc deleted the gha-renovatepypi-apache-airflow-vulnerability branch September 9, 2024 18:58
@AetherUnbound AetherUnbound mentioned this pull request Sep 17, 2024
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stacimc stacimc stacimc approved these changes

@AetherUnbound AetherUnbound Awaiting requested review from AetherUnbound AetherUnbound is a code owner automatically assigned from WordPress/openverse-catalog

Assignees
No one assigned
Labels
💻 aspect: code Concerns the software code in the repository dependencies Pull requests that update a dependency file 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🟩 priority: low Low priority and doesn't need to be rushed 🧱 stack: catalog Related to the catalog and Airflow DAGs 🐍 tech: python Involves Python
Projects
Openverse PRs
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@openverse-bot @stacimc