Uploaded image for project: 'Beam'
  1. Beam
  2. BEAM-12278

Current python library dependends on urllib2 < 0.18.0 (which has a severe vulnerability)

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • P2
    • Resolution: Fixed
    • None
    • 2.30.0
    • sdk-py-core

    Description

      Hello,

      The latest version of the python library apache-beam (2.29.0) has the following dependency: httplib2<0.18.0. Those versions of httplib2 have a severe vulnerability that you can see below.

      The proposed fix is to upgrade the dependency to 0.19.0 or a more recent version.

      Description:

      httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.

      Thank you!

      Attachments

        Activity

          People

            altay Ahmet Altay
            pydude1988 Youssef Bezrati
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: