potiuk commented on issue #35234: URL: https://github.com/apache/airflow/issues/35234#issuecomment-1801824400
> I assume that it should be done as soon as possible because it blocks upgrade of Werkzeug up to version 3.0.1 that patches [vulnerability issue](https://nvd.nist.gov/vuln/detail/CVE-2023-46136). The upgrade of Werkzeug requires an upgrade of Connexion up to version 3. I personally think it's not THAT urgent, because likely airflow is not affected by the vulnerability (or at least we have no reports telling that). But for commercial users who are concerned about scan results and "ticking off" the vulnerable components, indeed, this is a great opportunity to contribute back to Airflow by following the plan nicely outlined here and either report an exploit scenario that wil use that public vulnerability using the usual channels - i..e following our security policy https://github.com/apache/airflow/security/policy @moiseenkov - maybe that's a good idea to do either of the two ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
