Could you help upgrade the vulnerble shared library introduced by package pywf?
JoeGardner000 opened this issue · comments
Hi, @kedixa , @Barenboim , I'd like to report a vulnerability issue in pywf_0.0.8.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), pywf_0.0.8 directly or transitively depends on 12 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libgssapi_krb5-156d2cf0.so.2.2
, libk5crypto-a4eb5019.so.3.1
and libkrb5-699ac2fc.so.3.3
from C project krb5(version:1.16) exposed 4 vulnerabilities:
CVE-2021-37750, CVE-2021-36222, CVE-2015-8629, CVE-2015-8630
Suggested Vulnerability Patch Versions
krb5 has fixed the vulnerabilities in versions >=1.19.3
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (pywf has 1,752 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Joe Gardner