Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE URLs update: www sub-subdomain no longer valid #4827

Merged
merged 1 commit into from Oct 16, 2018

Conversation

@webmaven
Copy link
Contributor

@webmaven webmaven commented Oct 16, 2018

No description provided.

@nateprewitt
Copy link
Member

@nateprewitt nateprewitt commented Oct 16, 2018

Thanks @webmaven!

@nateprewitt nateprewitt merged commit 2c6a842 into psf:master Oct 16, 2018
1 of 2 checks passed
1 of 2 checks passed
continuous-integration/appveyor/pr Waiting for AppVeyor build to complete
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@webmaven
Copy link
Contributor Author

@webmaven webmaven commented Oct 16, 2018

You're welcome @nateprewitt. Was wondering if adding the new CVE (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18074 eg. #4718) would also be an appropriate documentation change at this point, but would need to know next release's version number (eg. 2.19.2, or 2.20?) to include it.

@nateprewitt
Copy link
Member

@nateprewitt nateprewitt commented Oct 16, 2018

@webmaven, thanks for the offer! We’re likely going to be doing a release sometime next week, and I think we’ll get all of that info bundled during the release process.

@cachedout
Copy link

@cachedout cachedout commented Nov 9, 2018

@nateprewitt and @webmaven Do you have any insight as to whether or not this change could be applied to versions 2.6.0 and 2.7.0 and, if so, would doing so address the security concern outlined in the CVE? We're distributing those versions in a public repo and are considering just applying this change instead of forcing users through an upgrade quite far forward. Any thoughts would be much appreciated. :)

@nateprewitt
Copy link
Member

@nateprewitt nateprewitt commented Nov 9, 2018

Hi @cachedout, I think you could apply the patch in #4718 (or a derivative) to the head of 2.6 or 2.7. We don’t have any intention to maintain that in Requests though since both of those release are approaching 4 years since release and are 13 versions behind.

If you choose to go down that path for Saltstack, we probably want to make it clear that it’s a forked version of Requests at that point. If you’re already vendoring copies though, that may not be a problem.

@cachedout
Copy link

@cachedout cachedout commented Nov 9, 2018

@nateprewitt Totally understood and thanks for the quick reply. That gives me what I need. Thanks!

@webmaven webmaven deleted the webmaven:patch-1 branch Mar 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants