[
https://issues.apache.org/jira/browse/BEAM-6643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ismaël Mejía updated BEAM-6643:
-------------------------------
Priority: Critical (was: Minor)
> Pypi's version of Beam for python3 requires httplib2 with a known
> vulnerability
> -------------------------------------------------------------------------------
>
> Key: BEAM-6643
> URL: https://issues.apache.org/jira/browse/BEAM-6643
> Project: Beam
> Issue Type: Bug
> Components: sdk-py-core
> Affects Versions: 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0
> Environment: Python3 using default PyPI.
> Reporter: Alex deVries
> Priority: Critical
> Labels: beginner, security
>
> Beam version 2.2.0 requires httplib2 0.9.2 which has a known vulnerability
> (CVE-2013-2037). This is the latest version of Beam that works with Python 3
> (according to pypi).
> Even though 2.2.0 is old, it is still the version that one will get when if
> they install Beam using ‘pip install apache-beam’ on distributions that
> default to Python 3.
> I’m not sure how exploitable this is using Beam. The weakness is that the
> server’s hostname isn’t verified to be in the cert’s CN subject or SAN. This
> may allow an attacker to spoof a server.
> It’s possible the fix is as simple as a release of 2.2 that changes the
> requirement of httplib2 from 0.9.2 to 0.10, and then release that to pypi.
> That’s probably pretty complicated.
> This will go away when Beam supports Python 3, since pypi will then offer
> some later version of Beam that doesn’t require the ancient version of
> httplib2.
> The fix to Beam is to require httplib2 0.10.1 or later. The fix to httplib2
> is here: [*https://github.com/httplib2/httplib2/issues/5*] .
> NVD:
> https://nvd.nist.gov/vuln/detail/CVE-2013-2037
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
