[
https://issues.apache.org/jira/browse/BEAM-10180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17169582#comment-17169582
]
Beam JIRA Bot commented on BEAM-10180:
--------------------------------------
This issue is P2 but has been unassigned without any comment for 60 days so it
has been labeled "stale-P2". If this issue is still affecting you, we care!
Please comment and remove the label. Otherwise, in 14 days the issue will be
moved to P3.
Please see https://beam.apache.org/contribute/jira-priorities/ for a detailed
explanation of what these priorities mean.
> Upgrade httplib2 to > 0.18.0 to resolve CVE-2020-11078
> ------------------------------------------------------
>
> Key: BEAM-10180
> URL: https://issues.apache.org/jira/browse/BEAM-10180
> Project: Beam
> Issue Type: Improvement
> Components: sdk-py-core
> Reporter: Jay Crumb
> Priority: P2
> Labels: stale-P2
>
> In versions of httplib2 before 0.18.0, an attacker who could control the url
> provided to {{httplib2.Http.request()}} could modify the request's headers or
> body.
>
> As I understand from looking at BEAM-9819 the current restriction exists
> because of a dependency on google-apitools so this may not be a
> straightforward fix.
>
> CVE: [https://nvd.nist.gov/vuln/detail/CVE-2020-11078]
> GitHub Advisory: [https://github.com/advisories/GHSA-gg84-qgv9-w4pq]
> Release Notes: https://github.com/httplib2/httplib2/blob/master/CHANGELOG#L7
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
