You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@beam.apache.org by "Kyle Weaver (Jira)" <ji...@apache.org> on 2021/05/24 17:55:00 UTC

[jira] [Commented] (BEAM-12278) Current python library dependends on urllib2 < 0.18.0 (which has a severe vulnerability)

    [ https://issues.apache.org/jira/browse/BEAM-12278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17350557#comment-17350557 ] 

Kyle Weaver commented on BEAM-12278:
------------------------------------

httplib2 was upgraded in [1], which will be included in the next Beam release (2.30.0).

 [1] https://github.com/apache/beam/pull/14379

> Current python library dependends on urllib2 < 0.18.0 (which has a severe vulnerability)
> ----------------------------------------------------------------------------------------
>
>                 Key: BEAM-12278
>                 URL: https://issues.apache.org/jira/browse/BEAM-12278
>             Project: Beam
>          Issue Type: Improvement
>          Components: sdk-py-core
>            Reporter: Youssef Bezrati
>            Priority: P2
>              Labels: vulnerabilities
>
> Hello,
> The latest version of the python library apache-beam (2.29.0) has the following dependency: httplib2<0.18.0. Those versions of httplib2 have a severe vulnerability that you can see below.
> The proposed fix is to upgrade the dependency to 0.19.0 or a more recent version.
> Description:
> httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
> h1. Thank you!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)