airflow icon indicating copy to clipboard operation
airflow copied to clipboard

Published 20 hours ago verified publisher icon apache

Upgrade `gcloud-aio-auth` to 5.2.+

Open potiuk opened this issue 9 months ago • 2 comments

Body

The gcloud-aio-auth <5.0.0 limits cryptography to < 42..0.0 which has CVE-2023-50782 and it blocks airflow from upgrading to newer cryptography version.

Committer

  • [X] I acknowledge that I am a maintainer/committer of the Apache Airflow project.

potiuk avatar May 08 '24 13:05 potiuk

cc: @VladaZakharova - maybe your team could take a look at that one:

Here is a comment from provider.yaml

  # When upgrading the major version of gcloud-aio-auth we want to make sure to
  # 1. use at least version 5.2, which uses offset-aware datetime internally
  # 2. override Token's new `refresh` method instead of `acquire_access_token`, which allows us to avoid
  #    dealing with internals like `access_token_acquired_at`
  # 3. continue to `subclass gcloud.aio.auth.token.Token` instead of `BaseToken`, since instances of
  #    `_CredentialsToken` are instances of `Token` and used as such
  - gcloud-aio-auth>=4.0.0,<5.0.0

potiuk avatar May 08 '24 13:05 potiuk

Hi! Yes, sure, thank you

VladaZakharova avatar May 08 '24 13:05 VladaZakharova

This is already completed. Closing

eladkal avatar Aug 23 '24 09:08 eladkal

@eladkal any reference to exact PR?

UPD: found https://github.com/apache/airflow/pull/41262

dimon222 avatar Aug 23 '24 11:08 dimon222