potiuk commented on issue #10429:
URL: https://github.com/apache/airflow/issues/10429#issuecomment-686478994
> Pull request made.
Thanks! I saw that the Astronomer's team will test it once they get the
.lock file . Thanks for that :)
> I did not email [[email protected]](mailto:[email protected]) because
I frankly don't consider this to be worth going through that process. This
vulnerability is not in any way "secret". It's a vulnerability in a dependency,
that Nessus is already alerting on against running airflow servers (mostly
because of some networking equipment that happens to put jquery on a similar
path not because they coded it specifically for airflow). I'm not providing any
information about a working exploit against airflow. I'm not even sure one
exists because I didn't sit down and research how you used jquery to see if
you're using the functionality that has issues.
> Sure. I understand the reasons :). I just think in such cases it's better
to be safe than sorry - I understand it's not secret, but just mentioning it
publicly and mentioning CVE with clear information "it's not yet fixed" might
be something dangerous. It's likely, not - in this case, and it is just
strongly encouraged (not required) by the ASF policy menttioned. Not a big
problem I think for now, but something to look out in the future.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
