[ https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16741913#comment-16741913 ]
ASF subversion and git services commented on AIRFLOW-3700: ---------------------------------------------------------- Commit 8419e5f119cc60388133a5226f8b4c0d8899ea34 in airflow's branch refs/heads/v1-10-test from Xiaodong [ https://gitbox.apache.org/repos/asf?p=airflow.git;h=8419e5f ] [AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517) > Change the lowest allowed version of "requests" to address security > vulnerabilities > ----------------------------------------------------------------------------------- > > Key: AIRFLOW-3700 > URL: https://issues.apache.org/jira/browse/AIRFLOW-3700 > Project: Apache Airflow > Issue Type: Improvement > Components: dependencies > Affects Versions: 1.10.1 > Reporter: Xiaodong DENG > Assignee: Xiaodong DENG > Priority: Critical > Fix For: 2.0.0 > > > [https://nvd.nist.gov/vuln/detail/CVE-2018-18074] > > {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for > Python sends an HTTP Authorization header to an http URI upon receiving a > same-hostname https-to-http redirect, which makes it easier for remote > attackers to discover credentials by sniffing the network.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)