[ANNOUNCE] Apache Airflow Helm Chart version 1.13.1 Released

Dear community, I am pleased to announce that we have released Apache Airflow Helm chart 1.13.1   The source release, as well as the "binary" Helm Chart release, are available:  Official Sources: https://airflow.apache.org/docs/helm-chart/1.13.1/installing-helm-chart-from-sources.html 

[ANNOUNCE] Apache Airflow Helm Chart version 1.11.0 Released

Dear community, I am pleased to announce that we have released Apache Airflow Helm chart 1.11.0   The source release, as well as the "binary" Helm Chart release, are available:  Official Sources: https://airflow.apache.org/docs/helm-chart/1.11.0/installing-helm-chart-from-sources.html 

[ANNOUNCE] Apache Airflow Helm Chart version 1.10.0 Released

Dear community, I am pleased to announce that we have released Apache Airflow Helm chart 1.10.0   The source release, as well as the "binary" Helm Chart release, are available:  Official Sources: https://airflow.apache.org/docs/helm-chart/1.10.0/installing-helm-chart-from-sources.html 

[ANNOUNCE] Apache Airflow Helm Chart version 1.9.0 Released

Dear community, I am pleased to announce that we have released Apache Airflow Helm chart 1.9.0   The source release, as well as the "binary" Helm Chart release, are available:  Official Sources: https://airflow.apache.org/docs/helm-chart/1.9.0/installing-helm-chart-from-sources.html 

[ANNOUNCE] Apache Airflow Helm Chart version 1.8.0 Released

Dear community, I am pleased to announce that we have released Apache Airflow Helm chart 1.8.0   The source release, as well as the "binary" Helm Chart release, are available:  Official Sources: https://airflow.apache.org/docs/helm-chart/1.8.0/installing-helm-chart-from-sources.html 

CVE-2022-45402: Apache Airflow: Open redirect during login

Description: In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. Credit: The Apache Airflow PMC would like to thank Bugra Eskici for reporting this issue. References: https://github.com/apache/airflow/pull/27576

CVE-2022-43985: Apache Airflow: Open Redirect

Description: In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. Credit: The Apache Airflow PMC would like to thank Axel Chong (@Haxatron) [https://hackerone.com/haxatron1] for reporting this issue. References:

CVE-2022-43982: Apache Airflow: Reflected XSS via Origin Query Argument in URL

Description: In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. Credit: The Apache Airflow PMC would like to thank id_No2015429 of 3H Security Team for reporting this issue. References:

[ANNOUNCE] Apache Airflow Helm Chart version 1.7.0 Released

Dear community, I am pleased to announce that we have released Apache Airflow Helm chart 1.7.0   The source release, as well as the "binary" Helm Chart release, are available:  Official Sources: https://airflow.apache.org/docs/helm-chart/1.7.0/installing-helm-chart-from-sources.html 

CVE-2022-41672: Apache Airflow: Session still funtional after user is deactivated

Description: In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. Credit: The Apache Airflow PMC would like to thank Axel Chong (@Haxatron) for reporting this issue. References:

[ANNOUNCE] Apache Airflow 2.4.1 Released

Dear community, I'm happy to announce that Airflow 2.4.1 was just released. The released sources and packages can be downloaded via https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-sources.html Other installation methods are described in

CVE-2022-40754: Apache Airflow: Open Redirect

Description: In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint. Credit: The Apache Airflow PMC would like to thank Konstantin Weddige (Lutra Security) for reporting this issue. References: https://github.com/apache/airflow/pull/26409

CVE-2022-40604: Apache Airflow: Format String Vulnerability

Description: In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction. Credit: The Apache Airflow PMC would like to thank L3yx of Syclover Security Team for reporting this issue. References:

CVE-2022-38170: Apache Airflow: Overly permissive umask for deamons

Description: In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--deamon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary

CVE-2022-38054: Apache Airflow: Session Fixation

Description: In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. Credit: The Apache Airflow PMC would like to thank Kai Zhao for reporting this issue.

[ANNOUNCE] Apache Airflow Helm Chart version 1.6.0 Released

Dear community, I am pleased to announce that we have released Apache Airflow Helm chart 1.6.0   The source release, as well as the "binary" Helm Chart release, are available:  Official Sources: https://airflow.apache.org/docs/helm-chart/1.6.0/installing-helm-chart-from-sources.html 

[ANNOUNCE] Airflow Providers released on Sat Apr 30 are ready

Dear Airflow community, I'm happy to announce that new versions of Airflow Providers packages were just released. https://pypi.org/project/apache-airflow-providers-cncf-kubernetes/4.0.1/ The source release, as well as the binary releases, are available here:

[ANNOUNCE] Apache Airflow 2.2.4 Released

Dear community, I'm happy to announce that Airflow 2.2.4 was just released. The released sources and packages can be downloaded via https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-sources.html Other installation methods are described in

CVE-2021-45229: Apache Airflow: Reflected XSS via Origin Query Argument in URL

Severity: high Description: It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below. Credit: The Apache Airflow PMC would like to thank both Bogdan Kurinnoy of the

CVE-2022-24288: Apache Airflow: RCE in example DAGs

Severity: high Description: In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. Mitigation: This can be mitigated by ensuring `[core] load_examples` is set to `False`.

[ANNOUNCE] Apache Airflow Helm Chart version 1.4.0 Released

Dear community, I am pleased to announce that we have released Apache Airflow Helm chart 1.4.0   The source release, as well as the "binary" Helm Chart release, are available:  Official Sources: https://airflow.apache.org/docs/helm-chart/1.4.0/installing-helm-chart-from-sources.html 

[ANNOUNCE] Apache Airflow 2.2.3 Released

Dear community, I'm happy to announce that Airflow 2.2.3 was just released. The released sources and packages can be downloaded via https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-sources.html Other installation methods are described in

[ANNOUNCE] Airflow 2.2.1 is released

Dear community, I'm happy to announce that Airflow 2.2.1 was just released. The released sources and packages can be downloaded via https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-sources.html Other installation methods are described in