CVE-2018-20245: Apache Airflow LDAP auth backend did not validate SSL certificate for <= 1.10.0

[Ash Berlin-Taylor <ash () apache org>]

CVE-2018-20245: LDAP auth backend did not validate SSL certificate for 
Apache Airflow <= 1.10.0

Vendor: The Apache Software Foundation

Versions Affected: <= 1.10.0

Description:
The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) was 
misconfigured and contained improper checking of exceptions which 
disabled server certificate checking.

Apache Airflow 1.10.1+ now only supports TLS connections and does not 
support insecure connections to LDAP servers any more. (Self-signed 
certificates are allowed if you pass in the expected server certificate 
as the "cacert" option under the "[ldap]" section of the config.)

Credit:
This issue was discovered by Stijn van Drongelen

Thanks,
Ash Berlin-Taylor