Gunicorn dependency request smuggling vulnerability #15570
Comments
|
Thanks for opening your first issue here! Be sure to follow the issue template! |
|
The ticket states the vulnerability is also fixed in 19.10.0 or higher. |
That is an inaccuracy in the CVE - 20.0.1 is when the fix arrived: https://github.com/benoitc/gunicorn/releases/tag/20.0.2 |
Not reallly. The CVE is correct. The fix has been backported to 19.10.0 : benoitc/gunicorn@9322089 You can see it when you take a look at differences between 19.9.0 and 19.10.0 |
|
Closing as invalid. |
|
@potiuk 19.9.10 has a failing build: And is not listed under the GitHub releases - which go from 19.9.0 to 20.0 https://github.com/benoitc/gunicorn/releases If I have to dig through other projects I'm happy to do so, but from my view, there are only a few possible options:
I'm happy to commit the upgrade myself if required, but I'm not too versed in the Airflow projects specifics and lockfiles. |
|
Gunicorn 19.10.0 (not 19.9.10) was properly released to PyPI: https://pypi.org/project/gunicorn/19.10.0/ I see no reason to disbelive Gunicorn maintainers when they are releasing to PyPI. If you have any doubts, please open an issue in Gunicorn repo (with reference to this issue). I am happy to reopen the issue if your doubts are verified, but we will not actively pursue it. |
|
Thanks for the quick reply - I'll do some more digging :) |
|
As explained in the thread you started, i will look into reasoning why we are using gunicorn < 20. It is strange to find that 1.10 uses > 20 already :) |
It seems that the < 20.0 limit for gunicorn was added at some point in time without actual reason. We are already using gunicorn in 1.10 line of Airflow, so it should not be a problem to bump the version of gunicorn, especially that the 19. line is somewhat deprecated already. This change came after the discussion n apache#15570
It seems that the < 20.0 limit for gunicorn was added at some point in time without actual reason. We are already using gunicorn in 1.10 line of Airflow, so it should not be a problem to bump the version of gunicorn, especially that the 19. line is somewhat deprecated already. This change came after the discussion n #15570
|
@CoburnJoe -> Airflow master is at Gunicorn 20.1 now (#15611). Next release should use it. |
Fantastic - thank you! 🎉 |
It seems that the < 20.0 limit for gunicorn was added at some point in time without actual reason. We are already using gunicorn in 1.10 line of Airflow, so it should not be a problem to bump the version of gunicorn, especially that the 19. line is somewhat deprecated already. This change came after the discussion n apache#15570 (cherry picked from commit d7a14a8)
Hi team!
My organisation is using Airflow, and right now we are unable to comply with our security policies or use our standard build pipeline due to an insecure dependency version (Gunicorn) specified by Airflow. I've messaged the security@ email address, but as this is already a public vulnerability in Gunicorn, and not a proven exploit in Airflow, I was directed over here.
Gunicorn request smuggling vulnerability.
CVSS: https://snyk.io/vuln/SNYK-PYTHON-GUNICORN-541164
Steps to replicate
40104: gunicorn <20.0.1 resolved (19.10.0 installed)!
Gunicorn 20.0.1 fixes chunked encoding support to prevent any request smuggling for security purposes.
This issue is patched in Gunicorn 20.0.1 or higher. Your setup file specifies gunicorn>=19.5.0, <20.0
airflow/setup.cfg
Line 102 in 47cbff9
The text was updated successfully, but these errors were encountered: