[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities

2019-01-14 Thread ASF subversion and git services (JIRA) 


[ 
https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16742444#comment-16742444
 ] 

ASF subversion and git services commented on AIRFLOW-3700:
--

Commit 8419e5f119cc60388133a5226f8b4c0d8899ea34 in airflow's branch 
refs/heads/v1-10-stable from Xiaodong
[ https://gitbox.apache.org/repos/asf?p=airflow.git;h=8419e5f ]

[AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517)



> Change the lowest allowed version of "requests" to address security 
> vulnerabilities
> ---
>
> Key: AIRFLOW-3700
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3700
> Project: Apache Airflow
>  Issue Type: Improvement
>  Components: dependencies
>Affects Versions: 1.10.1
>Reporter: Xiaodong DENG
>Assignee: Xiaodong DENG
>Priority: Critical
> Fix For: 1.10.2
>
>
> [https://nvd.nist.gov/vuln/detail/CVE-2018-18074]
>  
> {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for 
> Python sends an HTTP Authorization header to an http URI upon receiving a 
> same-hostname https-to-http redirect, which makes it easier for remote 
> attackers to discover credentials by sniffing the network.{color}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities

2019-01-14 Thread ASF subversion and git services (JIRA) 


[ 
https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16742019#comment-16742019
 ] 

ASF subversion and git services commented on AIRFLOW-3700:
--

Commit 1347ccf8271b00c4b47d3df3b28019c9e083953b in airflow's branch 
refs/heads/dont-bake-env-into-tmp-config from Xiaodong
[ https://gitbox.apache.org/repos/asf?p=airflow.git;h=1347ccf ]

[AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517)



> Change the lowest allowed version of "requests" to address security 
> vulnerabilities
> ---
>
> Key: AIRFLOW-3700
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3700
> Project: Apache Airflow
>  Issue Type: Improvement
>  Components: dependencies
>Affects Versions: 1.10.1
>Reporter: Xiaodong DENG
>Assignee: Xiaodong DENG
>Priority: Critical
> Fix For: 1.10.2
>
>
> [https://nvd.nist.gov/vuln/detail/CVE-2018-18074]
>  
> {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for 
> Python sends an HTTP Authorization header to an http URI upon receiving a 
> same-hostname https-to-http redirect, which makes it easier for remote 
> attackers to discover credentials by sniffing the network.{color}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities

2019-01-14 Thread ASF subversion and git services (JIRA) 


[ 
https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741913#comment-16741913
 ] 

ASF subversion and git services commented on AIRFLOW-3700:
--

Commit 8419e5f119cc60388133a5226f8b4c0d8899ea34 in airflow's branch 
refs/heads/v1-10-test from Xiaodong
[ https://gitbox.apache.org/repos/asf?p=airflow.git;h=8419e5f ]

[AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517)



> Change the lowest allowed version of "requests" to address security 
> vulnerabilities
> ---
>
> Key: AIRFLOW-3700
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3700
> Project: Apache Airflow
>  Issue Type: Improvement
>  Components: dependencies
>Affects Versions: 1.10.1
>Reporter: Xiaodong DENG
>Assignee: Xiaodong DENG
>Priority: Critical
> Fix For: 2.0.0
>
>
> [https://nvd.nist.gov/vuln/detail/CVE-2018-18074]
>  
> {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for 
> Python sends an HTTP Authorization header to an http URI upon receiving a 
> same-hostname https-to-http redirect, which makes it easier for remote 
> attackers to discover credentials by sniffing the network.{color}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities

2019-01-14 Thread ASF subversion and git services (JIRA) 


[ 
https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741909#comment-16741909
 ] 

ASF subversion and git services commented on AIRFLOW-3700:
--

Commit 62f47fdd692866a98f90f281b11e94d9aa6bcc9e in airflow's branch 
refs/heads/v1-10-stable from Xiaodong
[ https://gitbox.apache.org/repos/asf?p=airflow.git;h=62f47fd ]

[AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517)



> Change the lowest allowed version of "requests" to address security 
> vulnerabilities
> ---
>
> Key: AIRFLOW-3700
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3700
> Project: Apache Airflow
>  Issue Type: Improvement
>  Components: dependencies
>Affects Versions: 1.10.1
>Reporter: Xiaodong DENG
>Assignee: Xiaodong DENG
>Priority: Critical
>
> [https://nvd.nist.gov/vuln/detail/CVE-2018-18074]
>  
> {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for 
> Python sends an HTTP Authorization header to an http URI upon receiving a 
> same-hostname https-to-http redirect, which makes it easier for remote 
> attackers to discover credentials by sniffing the network.{color}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities

2019-01-14 Thread ASF subversion and git services (JIRA) 


[ 
https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741908#comment-16741908
 ] 

ASF subversion and git services commented on AIRFLOW-3700:
--

Commit 1347ccf8271b00c4b47d3df3b28019c9e083953b in airflow's branch 
refs/heads/master from Xiaodong
[ https://gitbox.apache.org/repos/asf?p=airflow.git;h=1347ccf ]

[AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517)



> Change the lowest allowed version of "requests" to address security 
> vulnerabilities
> ---
>
> Key: AIRFLOW-3700
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3700
> Project: Apache Airflow
>  Issue Type: Improvement
>  Components: dependencies
>Affects Versions: 1.10.1
>Reporter: Xiaodong DENG
>Assignee: Xiaodong DENG
>Priority: Critical
>
> [https://nvd.nist.gov/vuln/detail/CVE-2018-18074]
>  
> {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for 
> Python sends an HTTP Authorization header to an http URI upon receiving a 
> same-hostname https-to-http redirect, which makes it easier for remote 
> attackers to discover credentials by sniffing the network.{color}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities

2019-01-13 Thread ASF GitHub Bot (JIRA) 


[ 
https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741706#comment-16741706
 ] 

ASF GitHub Bot commented on AIRFLOW-3700:
-

XD-DENG commented on pull request #4517: [AIRFLOW-3700] Change the lowest 
allowed version of "requests" to address security vulnerabilities
URL: https://github.com/apache/airflow/pull/4517
 
 
   https://issues.apache.org/jira/browse/AIRFLOW-3700
   
   Accordingly to https://nvd.nist.gov/vuln/detail/CVE-2018-18074, the Requests 
package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization 
header to an http URI upon receiving a same-hostname https-to-http redirect, 
which makes it easier for remote attackers to discover credentials by sniffing 
the network.
   
   It's recommended to have `requests>=2.20.0`.
   
   This will not break anything given what we had was  `['requests>=2.5.1, 
<3']`. If it's a new installation, it will install the latest version. This 
change is mainly for users who already have `requests<=2.19.1` installed. We 
should force them to upgrade.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Change the lowest allowed version of "requests" to address security 
> vulnerabilities
> ---
>
> Key: AIRFLOW-3700
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3700
> Project: Apache Airflow
>  Issue Type: Improvement
>  Components: dependencies
>Affects Versions: 1.10.1
>Reporter: Xiaodong DENG
>Assignee: Xiaodong DENG
>Priority: Critical
>
> [https://nvd.nist.gov/vuln/detail/CVE-2018-18074]
>  
> {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for 
> Python sends an HTTP Authorization header to an http URI upon receiving a 
> same-hostname https-to-http redirect, which makes it easier for remote 
> attackers to discover credentials by sniffing the network.{color}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)