Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE URLs update: www sub-subdomain no longer valid #4827

Merged
merged 1 commit into from
Oct 16, 2018

Conversation

webmaven
Copy link
Contributor

No description provided.

@nateprewitt
Copy link
Member

Thanks @webmaven!

@nateprewitt nateprewitt merged commit 2c6a842 into psf:master Oct 16, 2018
@webmaven
Copy link
Contributor Author

webmaven commented Oct 16, 2018

You're welcome @nateprewitt. Was wondering if adding the new CVE (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18074 eg. #4718) would also be an appropriate documentation change at this point, but would need to know next release's version number (eg. 2.19.2, or 2.20?) to include it.

@nateprewitt
Copy link
Member

@webmaven, thanks for the offer! We’re likely going to be doing a release sometime next week, and I think we’ll get all of that info bundled during the release process.

@cachedout
Copy link

@nateprewitt and @webmaven Do you have any insight as to whether or not this change could be applied to versions 2.6.0 and 2.7.0 and, if so, would doing so address the security concern outlined in the CVE? We're distributing those versions in a public repo and are considering just applying this change instead of forcing users through an upgrade quite far forward. Any thoughts would be much appreciated. :)

@nateprewitt
Copy link
Member

Hi @cachedout, I think you could apply the patch in #4718 (or a derivative) to the head of 2.6 or 2.7. We don’t have any intention to maintain that in Requests though since both of those release are approaching 4 years since release and are 13 versions behind.

If you choose to go down that path for Saltstack, we probably want to make it clear that it’s a forked version of Requests at that point. If you’re already vendoring copies though, that may not be a problem.

@cachedout
Copy link

@nateprewitt Totally understood and thanks for the quick reply. That gives me what I need. Thanks!

@webmaven webmaven deleted the patch-1 branch March 10, 2019 20:17
This was referenced Mar 9, 2021
This was referenced Mar 15, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 31, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants