chore(deps): [database-archival] Update dependency apache-airflow-providers-fab to v1.5.2 [SECURITY] #144
Conversation
…viders-fab to v1.5.2 [SECURITY]
![code-review-assist[bot]](https://avatars.githubusercontent.com/in/1008254?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hi team,
I'm currently reviewing this pull request and will provide my feedback in a few minutes. In the meantime, I'm providing this summary of the pull request's content for you and other reviewers to quickly get up to speed on the changes and intent.
This pull request, submitted by Renovate Bot, updates the apache-airflow-providers-fab dependency in the database-archival project from version 1.3.0 to 1.5.2. This is a security update addressing the CVE-2024-45033 vulnerability, which involves insufficient session expiration. The vulnerability allowed users to remain logged in even after a password change via the admin CLI.
Here's a summary of the changes:
- Intent: Address a security vulnerability (CVE-2024-45033) in the
apache-airflow-providers-fablibrary. - Changes: The
requirements.txtfile in theprojects/database-archivaldirectory has been modified to update theapache-airflow-providers-fabdependency version from1.3.0to1.5.2. The SHA256 hashes for the new version have also been updated. - Activity: The pull request was automatically generated by Renovate Bot. It's currently awaiting manual merge.
The pull request includes release notes detailing numerous improvements and bug fixes in versions 1.4.0, 1.4.1, 1.5.0, 1.5.1, and 1.5.2 of apache-airflow-providers-fab. These notes are available in the pull request description.
I'll provide a more detailed review shortly.
A little poem for your coding pleasure:
Security updates, a vital quest,
To keep our systems, truly blessed.
With fixes applied, and worries gone,
Our code runs smoothly, till the dawn.
Thanks!
There was a problem hiding this comment.
This pull request updates the apache-airflow-providers-fab dependency to version 1.5.2 to address a security vulnerability (CVE-2024-45033). The update is necessary and well-justified. The changelog and release notes provide context, although the release notes for v1.5.2 seem to be for a much older version. Overall, the PR is good to merge.
This PR contains the following updates:
==1.3.0->==1.5.2GitHub Vulnerability Alerts
CVE-2024-45033
Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider.
This issue affects Apache Airflow Fab Provider: before 1.5.2.
When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from CVE-2023-40273 which was addressed in Apache-Airflow 2.7.0
Users are recommended to upgrade to version 1.5.2, which fixes the issue.
Release Notes
apache/airflow (apache-airflow-providers-fab)
v1.5.2Compare Source
This is probably missing some important items, but most of it should be captured
from __future__imports to prevent regressionmysqlclientlib instead ofmysql-pythonv1.5.1Compare Source
Bugfix around XCom table creation timestamp issue
v1.5.0Compare Source
v1.5.0 is a huge release. Tons of important features.
Make sure to run
airflow upgradedbafter you upgradeImprovements:
airflow upgradedbto get your database up to date as you upgrade Airflowv1.4.1Compare Source
v1.4.0Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.