[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities
[ https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16742444#comment-16742444 ] ASF subversion and git services commented on AIRFLOW-3700: -- Commit 8419e5f119cc60388133a5226f8b4c0d8899ea34 in airflow's branch refs/heads/v1-10-stable from Xiaodong [ https://gitbox.apache.org/repos/asf?p=airflow.git;h=8419e5f ] [AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517) > Change the lowest allowed version of "requests" to address security > vulnerabilities > --- > > Key: AIRFLOW-3700 > URL: https://issues.apache.org/jira/browse/AIRFLOW-3700 > Project: Apache Airflow > Issue Type: Improvement > Components: dependencies >Affects Versions: 1.10.1 >Reporter: Xiaodong DENG >Assignee: Xiaodong DENG >Priority: Critical > Fix For: 1.10.2 > > > [https://nvd.nist.gov/vuln/detail/CVE-2018-18074] > > {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for > Python sends an HTTP Authorization header to an http URI upon receiving a > same-hostname https-to-http redirect, which makes it easier for remote > attackers to discover credentials by sniffing the network.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities
[ https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16742019#comment-16742019 ] ASF subversion and git services commented on AIRFLOW-3700: -- Commit 1347ccf8271b00c4b47d3df3b28019c9e083953b in airflow's branch refs/heads/dont-bake-env-into-tmp-config from Xiaodong [ https://gitbox.apache.org/repos/asf?p=airflow.git;h=1347ccf ] [AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517) > Change the lowest allowed version of "requests" to address security > vulnerabilities > --- > > Key: AIRFLOW-3700 > URL: https://issues.apache.org/jira/browse/AIRFLOW-3700 > Project: Apache Airflow > Issue Type: Improvement > Components: dependencies >Affects Versions: 1.10.1 >Reporter: Xiaodong DENG >Assignee: Xiaodong DENG >Priority: Critical > Fix For: 1.10.2 > > > [https://nvd.nist.gov/vuln/detail/CVE-2018-18074] > > {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for > Python sends an HTTP Authorization header to an http URI upon receiving a > same-hostname https-to-http redirect, which makes it easier for remote > attackers to discover credentials by sniffing the network.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities
[ https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741913#comment-16741913 ] ASF subversion and git services commented on AIRFLOW-3700: -- Commit 8419e5f119cc60388133a5226f8b4c0d8899ea34 in airflow's branch refs/heads/v1-10-test from Xiaodong [ https://gitbox.apache.org/repos/asf?p=airflow.git;h=8419e5f ] [AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517) > Change the lowest allowed version of "requests" to address security > vulnerabilities > --- > > Key: AIRFLOW-3700 > URL: https://issues.apache.org/jira/browse/AIRFLOW-3700 > Project: Apache Airflow > Issue Type: Improvement > Components: dependencies >Affects Versions: 1.10.1 >Reporter: Xiaodong DENG >Assignee: Xiaodong DENG >Priority: Critical > Fix For: 2.0.0 > > > [https://nvd.nist.gov/vuln/detail/CVE-2018-18074] > > {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for > Python sends an HTTP Authorization header to an http URI upon receiving a > same-hostname https-to-http redirect, which makes it easier for remote > attackers to discover credentials by sniffing the network.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities
[ https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741909#comment-16741909 ] ASF subversion and git services commented on AIRFLOW-3700: -- Commit 62f47fdd692866a98f90f281b11e94d9aa6bcc9e in airflow's branch refs/heads/v1-10-stable from Xiaodong [ https://gitbox.apache.org/repos/asf?p=airflow.git;h=62f47fd ] [AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517) > Change the lowest allowed version of "requests" to address security > vulnerabilities > --- > > Key: AIRFLOW-3700 > URL: https://issues.apache.org/jira/browse/AIRFLOW-3700 > Project: Apache Airflow > Issue Type: Improvement > Components: dependencies >Affects Versions: 1.10.1 >Reporter: Xiaodong DENG >Assignee: Xiaodong DENG >Priority: Critical > > [https://nvd.nist.gov/vuln/detail/CVE-2018-18074] > > {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for > Python sends an HTTP Authorization header to an http URI upon receiving a > same-hostname https-to-http redirect, which makes it easier for remote > attackers to discover credentials by sniffing the network.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities
[ https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741908#comment-16741908 ] ASF subversion and git services commented on AIRFLOW-3700: -- Commit 1347ccf8271b00c4b47d3df3b28019c9e083953b in airflow's branch refs/heads/master from Xiaodong [ https://gitbox.apache.org/repos/asf?p=airflow.git;h=1347ccf ] [AIRFLOW-3700] Change the lowest allowed version of "requests" (#4517) > Change the lowest allowed version of "requests" to address security > vulnerabilities > --- > > Key: AIRFLOW-3700 > URL: https://issues.apache.org/jira/browse/AIRFLOW-3700 > Project: Apache Airflow > Issue Type: Improvement > Components: dependencies >Affects Versions: 1.10.1 >Reporter: Xiaodong DENG >Assignee: Xiaodong DENG >Priority: Critical > > [https://nvd.nist.gov/vuln/detail/CVE-2018-18074] > > {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for > Python sends an HTTP Authorization header to an http URI upon receiving a > same-hostname https-to-http redirect, which makes it easier for remote > attackers to discover credentials by sniffing the network.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AIRFLOW-3700) Change the lowest allowed version of "requests" to address security vulnerabilities
[ https://issues.apache.org/jira/browse/AIRFLOW-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741706#comment-16741706 ] ASF GitHub Bot commented on AIRFLOW-3700: - XD-DENG commented on pull request #4517: [AIRFLOW-3700] Change the lowest allowed version of "requests" to address security vulnerabilities URL: https://github.com/apache/airflow/pull/4517 https://issues.apache.org/jira/browse/AIRFLOW-3700 Accordingly to https://nvd.nist.gov/vuln/detail/CVE-2018-18074, the Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. It's recommended to have `requests>=2.20.0`. This will not break anything given what we had was `['requests>=2.5.1, <3']`. If it's a new installation, it will install the latest version. This change is mainly for users who already have `requests<=2.19.1` installed. We should force them to upgrade. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Change the lowest allowed version of "requests" to address security > vulnerabilities > --- > > Key: AIRFLOW-3700 > URL: https://issues.apache.org/jira/browse/AIRFLOW-3700 > Project: Apache Airflow > Issue Type: Improvement > Components: dependencies >Affects Versions: 1.10.1 >Reporter: Xiaodong DENG >Assignee: Xiaodong DENG >Priority: Critical > > [https://nvd.nist.gov/vuln/detail/CVE-2018-18074] > > {color:#24292e}The Requests package through 2.19.1 before 2018-09-14 for > Python sends an HTTP Authorization header to an http URI upon receiving a > same-hostname https-to-http redirect, which makes it easier for remote > attackers to discover credentials by sniffing the network.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)