[jira] [Updated] (AIRFLOW-2592) Bump Bleach dependency to address CVE-2018-7753

Kaxil Naik (JIRA) Sat, 29 Sep 2018 01:55:59 -0700


     [ 
https://issues.apache.org/jira/browse/AIRFLOW-2592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Kaxil Naik updated AIRFLOW-2592:
--------------------------------
    Fix Version/s:     (was: 2.0.0)
                   1.10.1

> Bump Bleach dependency to address CVE-2018-7753
> -----------------------------------------------
>
>                 Key: AIRFLOW-2592
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2592
>             Project: Apache Airflow
>          Issue Type: Task
>            Reporter: Jan
>            Assignee: Christian Trebing
>            Priority: Major
>             Fix For: 1.10.1
>
>
> CVE-2018-7753 was reported for bleach versions <= 2.1.2.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-7753]
> CVE description: An issue was discovered in Bleach 2.1.x before 2.1.3. 
> Attributes that have URI values weren't properly sanitized if the values 
> contained character entities. Using character entities, it was possible to 
> construct a URI value with a scheme that was not allowed that would slide 
> through unsanitized.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (AIRFLOW-2592) Bump Bleach dependency to address CVE-2018-7753

Reply via email to