airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Malik Lalani <mlal...@salesforce.com.INVALID>
Subject Fwd: Python package vulnerabilities in airflow v1.10.10
Date Wed, 03 Jun 2020 21:19:53 GMT
Hi Airflow Dev Team,

We are using airflow v1.10.10 at Salesforce. We ran NexusIQ and found the
following vulnerabilities in packages used in airflow:

*1. package:* moment:2.11.2
    *vulnerabilities:* sonatype-2016-0105, sonatype-2017-0422
    *description:* CVE-2017-18214
<https://nvd.nist.gov/vuln/detail/CVE-2017-18214> has been assigned to
sonatype-2017-0422.
    *remediation:* upgrade to 2.19.3

*2.* *package: *jquery:1.7.2
    *vulnerabilities:* sonatype-2012-0009, sonatype-2014-0026,
sonatype-2019-0115, sonatype-2020-0187
    *description:* CVE-2012-6708
<https://nvd.nist.gov/vuln/detail/CVE-2012-6708> has been assigned to
sonatype-2012-0009, CVE-2019-11358
<https://nvd.nist.gov/vuln/detail/CVE-2019-11358> has been assigned to
sonatype-2019-0115, CVE-2020-11022
<https://nvd.nist.gov/vuln/detail/CVE-2020-11022> has been assigned to
sonatype-2020-0187
    *remediation:* upgrade to 3.5.0

*3.* CVE-2017-15720 <https://nvd.nist.gov/vuln/detail/CVE-2017-15720>
    *description: *Vendor has a reason to believe that this vulnerability
applies to airflow v1.10.10

We wanted to know that can these packages be upgraded (1 and 2) to resolve
the vulnerabilities, and also we would really appreciate it if the team can
verify #3. Please let us know how we can provide help in this regard. We
have attached vulnerability reports with this email.

Thanks,
- MALIK
Software Engineering SMTS | Salesforce

Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message