[ https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16742019#comment-16742019 ]
ASF subversion and git services commented on AIRFLOW-3700: ---------------------------------------------------------- Commit 1347ccf8271b00c4b47d3df3b28019c9e083953b in airflow's branch refs/heads/dont-bake-env-into-tmp-config from Xiaodong [ https://gitbox.apache.org/repos/asf?p=airflow.git;h=1347ccf ] [AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517) > Change the lowest allowed version of "requests" to address security > vulnerabilities > ----------------------------------------------------------------------------------- > > Key: AIRFLOW-3700 > URL: https://issues.apache.org/jira/browse/AIRFLOW-3700 > Project: Apache Airflow > Issue Type: Improvement > Components: dependencies > Affects Versions: 1.10.1 > Reporter: Xiaodong DENG > Assignee: Xiaodong DENG > Priority: Critical > Fix For: 1.10.2 > > > [https://nvd.nist.gov/vuln/detail/CVE-2018-18074] > > {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for > Python sends an HTTP Authorization header to an http URI upon receiving a > same-hostname https-to-http redirect, which makes it easier for remote > attackers to discover credentials by sniffing the network.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)