Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 8 Jan 2019 22:31:58 +0000
From: Ash Berlin-Taylor <>
To:, Apache Security Team <>,
Cc: Stijn van Drongelen <>
Subject: CVE-2018-20245: Apache Airflow LDAP auth backend did not validate SSL
 certificate for <= 1.10.0

CVE-2018-20245: LDAP auth backend did not validate SSL certificate for 
Apache Airflow <= 1.10.0

Vendor: The Apache Software Foundation

Versions Affected: <= 1.10.0

The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) was 
misconfigured and contained improper checking of exceptions which 
disabled server certificate checking.

Apache Airflow 1.10.1+ now only supports TLS connections and does not 
support insecure connections to LDAP servers any more. (Self-signed 
certificates are allowed if you pass in the expected server certificate 
as the "cacert" option under the "[ldap]" section of the config.)

This issue was discovered by Stijn van Drongelen

Ash Berlin-Taylor

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.