You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@beam.apache.org by "Youssef Bezrati (Jira)" <ji...@apache.org> on 2021/05/04 13:59:00 UTC

[jira] [Created] (BEAM-12278) Current python library dependends on urllib2 < 0.18.0 (which has a severe vulnerability)

Youssef Bezrati created BEAM-12278:
--------------------------------------

             Summary: Current python library dependends on urllib2 < 0.18.0 (which has a severe vulnerability)
                 Key: BEAM-12278
                 URL: https://issues.apache.org/jira/browse/BEAM-12278
             Project: Beam
          Issue Type: Improvement
          Components: examples-python
            Reporter: Youssef Bezrati


Hello,

The latest version of the python library apache-beam (2.29.0) has the following dependency: httplib2<0.18.0. Those versions of httplib2 have a severe vulnerability that you can see below.

The proposed fix is to upgrade the dependency to 0.19.0 or a more recent version.

Description:

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
h1. Thank you!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)