GitHub user dovregubben added a comment to the discussion: Multiple vulnerabilities in Airflow dependencies
@potiuk - I very much appreciate your explanation, the links and the recording of your talk, all of that really helped me a lot in several ways. I was indeed mislead by the concept of constraints. It's very helpful to understand that those are mainly shipped for reproducibilty and that we can simply bump or add specific packages in a second step (after setting up `apache-airflow`). With regard to the CVE I mentioned, I literally meant CVE-2021-33026. A critical finding concerning that CVE was raised to us by the AWS Inspector, that's why I was asking about it in the first place. However your last comment made me investigate a bit more, and now I understand that this might rather be a false positive warning, because both from the description of the vulnerability and also the GitHub Advisory Database I can see that it only affects Flask-Caching `<= 1.10.1`. So it appears to me that the AWS Inspector doesn't pick up the information right from NVD. I also followed up on your discussion regarding this CVE in https://github.com/apache/airflow/issues/16541. GitHub link: https://github.com/apache/airflow/discussions/24055#discussioncomment-12309803 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
