security vulnerability in requirement version dependencies needs to be updated.

I would argue that this is not a security vulnerability of pypowervm. We're not requiring a vulnerable version of requests, we're just allowing for it. Anyone concerned about the requests vulnerability (and rightly so) is welcome to use a newer version of requests with pypowervm.

If we bump our requirements to include the newer version, that will force folks to move to the newer requests version when they move to the newer pypowervm version makin that change. This is great if they can do that, but could have downstream repercussions on things like PowerVC and OpenStack. Do they require the newer version of requests? Is the newer version of requests available from all the distros where pypowervm needs to work?

Also keep in mind that it's quite possible that a distro has backported the requests security fix to older versions so that they are not vulnerable.

This is public knowledge, so I'm opening this up

OpenStack maste lists requests lib version as 2.21.0 >> https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L199

Queens is still at 2.18 >> https://github.com/openstack/requirements/blob/stable/queens/upper-constraints.txt#L193

So from Openstack stein perspective , it should be OK making this switch.

I see that ubuntu has releases patches for their older request lib versions >> https://usn.ubuntu.com/3790-1/

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
    python-requests - 2.18.4-2ubuntu0.1
    python3-requests - 2.18.4-2ubuntu0.1
Ubuntu 16.04 LTS
    python-requests - 2.9.1-3ubuntu0.1
    python3-requests - 2.9.1-3ubuntu0.1
Ubuntu 14.04 LTS
    python-requests - 2.2.1-1ubuntu0.4
    python-requests-whl - 2.2.1-1ubuntu0.4
    python3-requests - 2.2.1-1ubuntu0.4

I am not sure if Red Hat has any plans >> https://bugzilla.redhat.com/show_bug.cgi?id=1643829

be careful... upper-constraints.txt just sets an upper limit. I.e. that means requests cannot be newer than 2.21.0. It does not mean that requests should be 2.21.0, which is a very different story.

And what you show with the Ubuntu versions illustrates exactly why we should NOT change pypowervm to require requests>=2.20.0. To do so would mean that nobody can run pypowervm with Canonical's requests packages on any current Ubuntu release even though they have released fixed packages for all of those releases. And that's just Ubuntu. Pypowervm also needs to run on RHEL, CentOS, Fedora, Debian, etc.

Can we update our requirements.txt , not to support requests 2.20.0?

https://github.com/powervm/pypowervm/blob/master/requirements.txt#L13
requests!=2.12.0?

Madhavi, as paer the CVE, all versions under 2.20 has this vulnerability. So,updating requirements to not support 2.20 does not fix the problem. Also, as I pointed out above certain platform/distro have released patches (for eg. Ubuntu has patches on 2.18).

"Python Requests before version 2.20.0 does not remove the HTTP Authorization header when following a HTTPS to HTTP redirect, allowing for the potential transmission of user credentials in plaintext."