[requirements][requests] security update for requests in stable branches

Jeremy Stanley fungi at yuggoth.org
Fri Feb 15 18:01:16 UTC 2019


On 2019-02-15 01:27:49 -0600 (-0600), Matthew Thode wrote:
> Recently it was reported to us that requests had a recent release that
> addressed a CVE (CVE-2018-18074).  Requests has no stable branches so
> the only way to update openstack stable branches is to update to 2.20.1
> in this case.
[...]

In the past we've assumed that folks consuming stable branches are
doing so on distributions which are backporting security fixes for
our dependencies anyway, so treating requirements for stable
branches as a snapshot in time (even if that snapshot includes
versions of dependencies with known vulnerabilities) is acceptable.
If we need to start worrying about vulnerable dependencies on stable
branches now, this implies quite a bit of extra work. I don't
personally see any special need to make an exception for the
requests library in this case. Will, e.g., CentOS or Ubuntu be
replacing their LTS python-requests packages with 2.20.1 rather than
just backporting a fix to the package versions they currently have?
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190215/11bbcbfe/attachment-0001.sig>


More information about the openstack-discuss mailing list