[
https://issues.apache.org/jira/browse/AIRFLOW-2592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16518435#comment-16518435
]
ASF subversion and git services commented on AIRFLOW-2592:
----------------------------------------------------------
Commit 8622046783d4fb5c938daeca4fc294cfe1540ff0 in incubator-airflow's branch
refs/heads/master from [~ctrebing]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=8622046 ]
[AIRFLOW-2592] Bump bleach dependency
Bleach dependency is updated to 2.1.3 to address
CVE-2018-7753
Closes #3524 from ctrebing/AIRFLOW-2592-bump-
bleach-dependency
> Bump Bleach dependency to address CVE-2018-7753
> -----------------------------------------------
>
> Key: AIRFLOW-2592
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2592
> Project: Apache Airflow
> Issue Type: Task
> Reporter: Jan
> Assignee: Christian Trebing
> Priority: Major
> Fix For: 2.0.0
>
>
> CVE-2018-7753 was reported for bleach versions <= 2.1.2.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-7753]
> CVE description: An issue was discovered in Bleach 2.1.x before 2.1.3.
> Attributes that have URI values weren't properly sanitized if the values
> contained character entities. Using character entities, it was possible to
> construct a URI value with a scheme that was not allowed that would slide
> through unsanitized.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
