[RESULT][VOTE] AIP-51 Removing Executor Coupling from Core Airlfow

Hey folks! The voting for AIP-51 Removing Executor Coupling from Core Airlfow (https://cwiki.apache.org/confluence/display/AIRFLOW/AIP-51+Removing+Executor+Coupling+from+Core+Airlfow) was completed on November 21, 2022, and I am happy announce the following voting result: *Binding (+6)

[DISCUSSION] Understanding consequences of current Provider version policies

Hello Airflow Community, I decided to start a thread (just to avoid some surprises) that will help us to be well aware of some of the consequences of the currently agreed policy we have for providers version support. I think it's good we re-iterate it now. Just to explain my view: I am

Re: CVE-2022-40954: Apache Airflow Spark Provider, Apache Airflow: Airflow 2.3.4 spark provider RCE that bypass restrictions to read arbitrary files

Just to add severity: moderate. On Mon, Nov 21, 2022 at 9:41 PM Jarek Potiuk wrote: > > Description: > > Improper Neutralization of Special Elements used in an OS Command ('OS > Command Injection') vulnerability in Apache Airflow Spark Provider, Apache > Airflow allows an attacker to read

CVE-2022-41131: Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection)

Severity: moderate Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG

CVE-2022-40954: Apache Airflow Spark Provider, Apache Airflow: Airflow 2.3.4 spark provider RCE that bypass restrictions to read arbitrary files

Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects

CVE-2022-40189: Apache Airlfow Pig Provider RCE

Severity: moderate Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG

CVE-2022-38649: Apache Airflow Pinot Provider, Apache Airflow: PinotAdminHook Command Injection

Severity: moderate Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG

Re: Make KubernetesExecutor's multi_namespace_mode more flexible & enterprise-ready

On the surface this sounds like a solid improvement to me. I look forward to seeing the PR. From: Xiaodong Deng Sent: Friday, November 18, 2022 11:46 AM To: dev@airflow.apache.org Subject: [EXTERNAL] Make KubernetesExecutor's multi_namespace_mode more

Re: [Discussion] Airflow Newsletter name and branding

Manifold is fun. I am terrible at naming things, but also for your consideration: something along the lines of Smoke since smoke in a wind tunnel lets you see what's happening in the airflow? From: John Thomas Sent: Monday, November 14, 2022 11:00 AM To:

Re: Make KubernetesExecutor's multi_namespace_mode more flexible & enterprise-ready

Hi folks, Bringing up this discussion again for more inputs. In addition, while preparing the changes I proposed below, I also noticed a few issues relating to *KubernetesExecutor*'s *multi_namespace_mode*, which made me question if this mode ever worked with complete functionalities. For