vulnerability with psycopg2 2.7.3.2
sunilkumar207106 opened this issue · comments
Please complete the following information:
- OS:
- NAME="AlmaLinux"
VERSION="8.8 (Sapphire Caracal)" - Psycopg version:
- psycopg2 2.7.3.2
- Python version:
- 3.6
- PostgreSQL version:
- psql (PostgreSQL) 15.2
- pip version
pip 21.3.1 from /usr/local/lib/python3.6/site-packages/pip (python 3.6)
Describe the bug
I found that this particular package has below vulnerability
CVE-2021-3711
CVE-2022-1292
CVE-2022-2068
CVE-2023-4807
CVE-2021-23840
CVE-2022-0778
CVE-2022-4450
CVE-2023-0215
CVE-2023-0464
CVE-2021-3712
CVE-2023-0286
CVE-2023-2650
CVE-2020-1971
CVE-2021-23841
CVE-2021-3449
CVE-2021-4160
CVE-2022-4304
CVE-2024-0727
CVE-2022-2097
CVE-2023-0465
CVE-2023-0466
CVE-2023-3817
CVE-2023-5678
to remove these I tried to update the updated package, but I am not sure which version of this package does not has these issues
If some one help to point out if we have any version of this package which does not contains above vulnerability please let me know
Thank you,
2.7.3.2 was released in 2017, more than 6 years ago.
could you please also tell which version of psycopg package does not have these vulnerability
No, I can't. I don't know in which version they were fixed in the libraries we bundled. You can use the git history of the project to figure it out or you can pay me for my time to look it up for you.
I suggest that you don't use psycopg2-binary. Use psycopg2 and the library will bind with the OpenSSL and other libraries on your system. From there on you can use your OS facilities to manage library upgrades and security updates.