[
https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16741909#comment-16741909
]
ASF subversion and git services commented on AIRFLOW-3700:
----------------------------------------------------------
Commit 62f47fdd692866a98f90f281b11e94d9aa6bcc9e in airflow's branch
refs/heads/v1-10-stable from Xiaodong
[ https://gitbox.apache.org/repos/asf?p=airflow.git;h=62f47fd ]
[AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517)
> Change the lowest allowed version of "requests" to address security
> vulnerabilities
> -----------------------------------------------------------------------------------
>
> Key: AIRFLOW-3700
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3700
> Project: Apache Airflow
> Issue Type: Improvement
> Components: dependencies
> Affects Versions: 1.10.1
> Reporter: Xiaodong DENG
> Assignee: Xiaodong DENG
> Priority: Critical
>
> [https://nvd.nist.gov/vuln/detail/CVE-2018-18074]
>
> {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for
> Python sends an HTTP Authorization header to an http URI upon receiving a
> same-hostname https-to-http redirect, which makes it easier for remote
> attackers to discover credentials by sniffing the network.{color}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
