[
https://issues.apache.org/jira/browse/BEAM-12278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17350557#comment-17350557
]
Kyle Weaver commented on BEAM-12278:
------------------------------------
httplib2 was upgraded in [1], which will be included in the next Beam release
(2.30.0).
[1] https://github.com/apache/beam/pull/14379
> Current python library dependends on urllib2 < 0.18.0 (which has a severe
> vulnerability)
> ----------------------------------------------------------------------------------------
>
> Key: BEAM-12278
> URL: https://issues.apache.org/jira/browse/BEAM-12278
> Project: Beam
> Issue Type: Improvement
> Components: sdk-py-core
> Reporter: Youssef Bezrati
> Priority: P2
> Labels: vulnerabilities
>
> Hello,
> The latest version of the python library apache-beam (2.29.0) has the
> following dependency: httplib2<0.18.0. Those versions of httplib2 have a
> severe vulnerability that you can see below.
> The proposed fix is to upgrade the dependency to 0.19.0 or a more recent
> version.
> Description:
> httplib2 is a comprehensive HTTP client library for Python. In httplib2
> before version 0.19.0, a malicious server which responds with long series of
> "\xa0" characters in the "www-authenticate" header may cause Denial of
> Service (CPU burn while parsing header) of the httplib2 client accessing said
> server. This is fixed in version 0.19.0 which contains a new implementation
> of auth headers parsing using the pyparsing library.
> h1. Thank you!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
