Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency apache-airflow to v2.9.2 [SECURITY] #4502

Merged
merged 2 commits into from
Jun 19, 2024
Merged

Update dependency apache-airflow to v2.9.2 [SECURITY] #4502

merged 2 commits into from
Jun 19, 2024

Conversation

openverse-bot
Copy link
Collaborator

This PR contains the following updates:

Package Update Change
apache-airflow (changelog) patch ==2.9.1 -> ==2.9.2

GitHub Vulnerability Alerts

CVE-2024-25142

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. 

Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.

This issue affects Apache Airflow: before 2.9.2.

Users are recommended to upgrade to version 2.9.2, which fixes the issue.

Release Notes

apache/airflow (apache-airflow)

v2.9.2

Compare Source

Significant Changes
^^^^^^^^^^^^^^^^^^^

No significant changes.

Bug Fixes
"""""""""

  • Fix bug that makes AirflowSecurityManagerV2 leave transactions in the idle in transaction state (#​39935)
  • Fix alembic auto-generation and rename mismatching constraints (#​39032)
  • Add the existing_nullable to the downgrade side of the migration (#​39374)
  • Fix Mark Instance state buttons stay disabled if user lacks permission (#​37451). (#​38732)
  • Use SKIP LOCKED instead of NOWAIT in mini scheduler (#​39745)
  • Remove DAG Run Add option from FAB view (#​39881)
  • Add max_consecutive_failed_dag_runs in API spec (#​39830)
  • Fix example_branch_operator failing in python 3.12 (#​39783)
  • Fetch served logs also when task attempt is up for retry and no remote logs available (#​39496)
  • Change dataset URI validation to raise warning instead of error in Airflow 2.9 (#​39670)
  • Visible DAG RUN doesn't point to the same dag run id (#​38365)
  • Refactor SafeDogStatsdLogger to use get_validator to enable pattern matching (#​39370)
  • Fix custom actions in security manager has_access (#​39421)
  • Fix HTTP 500 Internal Server Error if DAG is triggered with bad params (#​39409)
  • Fix static file caching is disabled in Airflow Webserver. (#​39345)
  • Fix TaskHandlerWithCustomFormatter now adds prefix only once (#​38502)
  • Do not provide deprecated execution_date in @apply_lineage (#​39327)
  • Add missing conn_id to string representation of ObjectStoragePath (#​39313)
  • Fix sql_alchemy_engine_args config example (#​38971)
  • Add Cache-Control "no-store" to all dynamically generated content (#​39550)

Miscellaneous
"""""""""""""

  • Limit yandex provider to avoid mypy errors (#​39990)
  • Warn on mini scheduler failures instead of debug (#​39760)
  • Change type definition for provider_info_cache decorator (#​39750)
  • Better typing for BaseOperator defer (#​39742)
  • More typing in TimeSensor and TimeSensorAsync (#​39696)
  • Re-raise exception from strict dataset URI checks (#​39719)
  • Fix stacklevel for _log_state helper (#​39596)
  • Resolve SA warnings in migrations scripts (#​39418)
  • Remove unused index idx_last_scheduling_decision on dag_run table (#​39275)

Doc Only Changes
""""""""""""""""

  • Provide extra tip on labeling DynamicTaskMapping (#​39977)
  • Improve visibility of links / variables / other configs in Configuration Reference (#​39916)
  • Remove 'legacy' definition for CronDataIntervalTimetable (#​39780)
  • Update plugins.rst examples to use pyproject.toml over setup.py (#​39665)
  • Fix nit in pg set-up doc (#​39628)
  • Add Matomo to Tracking User Activity docs (#​39611)
  • Fix Connection.get -> Connection. get_connection_from_secrets (#​39560)
  • Adding note for provider dependencies (#​39512)
  • Update docker-compose command (#​39504)
  • Update note about restarting triggerer process (#​39436)
  • Updating S3LogLink with an invalid bucket link (#​39424)
  • Update testing_packages.rst (#​38996)
  • Add multi-team diagrams (#​38861)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@openverse-bot openverse-bot requested a review from a team as a code owner June 17, 2024 21:36
@openverse-bot openverse-bot added dependencies Pull requests that update a dependency file 🐍 tech: python Involves Python 💻 aspect: code Concerns the software code in the repository 🟩 priority: low Low priority and doesn't need to be rushed 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🧱 stack: catalog Related to the catalog and Airflow DAGs labels Jun 17, 2024
@openverse-bot openverse-bot force-pushed the gha-renovatepypi-apache-airflow-vulnerability branch 2 times, most recently from f132456 to 407349d Compare June 18, 2024 00:20
@openverse-bot openverse-bot force-pushed the gha-renovatepypi-apache-airflow-vulnerability branch 6 times, most recently from f236727 to 2613855 Compare June 18, 2024 19:05
@zackkrida zackkrida self-requested a review June 18, 2024 20:04
@openverse-bot openverse-bot force-pushed the gha-renovatepypi-apache-airflow-vulnerability branch from 2613855 to 289a188 Compare June 18, 2024 20:34
@zackkrida
Copy link
Member

Accidentally approved this while looking at the issue, disregard.

AetherUnbound
AetherUnbound approved these changes Jun 18, 2024
View reviewed changes
Copy link
Collaborator

@AetherUnbound AetherUnbound left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Built and tested locally, this required one fix to unpin a requirement that had dipped below the Airflow constraints.

@openverse-bot
Copy link
Collaborator Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@zackkrida zackkrida merged commit cbdcdb5 into main Jun 19, 2024
43 checks passed
@zackkrida zackkrida deleted the gha-renovatepypi-apache-airflow-vulnerability branch June 19, 2024 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AetherUnbound AetherUnbound AetherUnbound approved these changes

@sarayourfriend sarayourfriend sarayourfriend approved these changes

@stacimc stacimc Awaiting requested review from stacimc stacimc is a code owner automatically assigned from WordPress/openverse-catalog

@zackkrida zackkrida Awaiting requested review from zackkrida

Assignees
No one assigned
Labels
💻 aspect: code Concerns the software code in the repository dependencies Pull requests that update a dependency file 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🟩 priority: low Low priority and doesn't need to be rushed 🧱 stack: catalog Related to the catalog and Airflow DAGs 🐍 tech: python Involves Python
Projects
Openverse PRs
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@openverse-bot @zackkrida @AetherUnbound @sarayourfriend