[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities

Sun, 13 Jan 2019 17:44:51 -0800 


    [ 
https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16741706#comment-16741706
 ] 

ASF GitHub Bot commented on AIRFLOW-3700:
-----------------------------------------

XD-DENG commented on pull request #4517: [AIRFLOW-3700] Change the lowest 
allowed version of "requests" to address security vulnerabilities
URL: https://github.com/apache/airflow/pull/4517
 
 
   https://issues.apache.org/jira/browse/AIRFLOW-3700
   
   Accordingly to https://nvd.nist.gov/vuln/detail/CVE-2018-18074, the Requests 
package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization 
header to an http URI upon receiving a same-hostname https-to-http redirect, 
which makes it easier for remote attackers to discover credentials by sniffing 
the network.
   
   It's recommended to have `requests>=2.20.0`.
   
   This will not break anything given what we had was  `['requests>=2.5.1, 
<3']`. If it's a new installation, it will install the latest version. This 
change is mainly for users who already have `requests<=2.19.1` installed. We 
should force them to upgrade.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Change the lowest allowed version of "requests" to address security 
> vulnerabilities
> -----------------------------------------------------------------------------------
>
>                 Key: AIRFLOW-3700
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-3700
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: dependencies
>    Affects Versions: 1.10.1
>            Reporter: Xiaodong DENG
>            Assignee: Xiaodong DENG
>            Priority: Critical
>
> [https://nvd.nist.gov/vuln/detail/CVE-2018-18074]
>  
> {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for 
> Python sends an HTTP Authorization header to an http URI upon receiving a 
> same-hostname https-to-http redirect, which makes it easier for remote 
> attackers to discover credentials by sniffing the network.{color}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to