+1! Thank you Ash for sharing security vulnerability updates.
On Tue, Jan 8, 2019 at 2:32 PM Ash Berlin-Taylor <[email protected]> wrote: > CVE-2018-20245: LDAP auth backend did not validate SSL certificate for > Apache Airflow <= 1.10.0 > > Vendor: The Apache Software Foundation > > Versions Affected: <= 1.10.0 > > Description: > The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) was > misconfigured and contained improper checking of exceptions which > disabled server certificate checking. > > Apache Airflow 1.10.1+ now only supports TLS connections and does not > support insecure connections to LDAP servers any more. (Self-signed > certificates are allowed if you pass in the expected server certificate > as the "cacert" option under the "[ldap]" section of the config.) > > Credit: > This issue was discovered by Stijn van Drongelen > > Thanks, > Ash Berlin-Taylor >
