[
https://issues.apache.org/jira/browse/BEAM-12278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kyle Weaver updated BEAM-12278:
-------------------------------
Fix Version/s: 2.30.0
Assignee: Ahmet Altay
Resolution: Fixed
Status: Resolved (was: Open)
> Current python library dependends on urllib2 < 0.18.0 (which has a severe
> vulnerability)
> ----------------------------------------------------------------------------------------
>
> Key: BEAM-12278
> URL: https://issues.apache.org/jira/browse/BEAM-12278
> Project: Beam
> Issue Type: Improvement
> Components: sdk-py-core
> Reporter: Youssef Bezrati
> Assignee: Ahmet Altay
> Priority: P2
> Labels: vulnerabilities
> Fix For: 2.30.0
>
>
> Hello,
> The latest version of the python library apache-beam (2.29.0) has the
> following dependency: httplib2<0.18.0. Those versions of httplib2 have a
> severe vulnerability that you can see below.
> The proposed fix is to upgrade the dependency to 0.19.0 or a more recent
> version.
> Description:
> httplib2 is a comprehensive HTTP client library for Python. In httplib2
> before version 0.19.0, a malicious server which responds with long series of
> "\xa0" characters in the "www-authenticate" header may cause Denial of
> Service (CPU burn while parsing header) of the httplib2 client accessing said
> server. This is fixed in version 0.19.0 which contains a new implementation
> of auth headers parsing using the pyparsing library.
> h1. Thank you!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
