tink 1.7.0 depends on protobuf 3.20.1 which has a security vulnerability patched in a newer version
darkvertex opened this issue · comments
tink 1.7.0 for Python depends on protobuf 3.20.1, which has an alleged security vulnerability as per this report from OSV:
https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf
We can see the requirement here: https://github.com/google/tink/blob/1.7/python/requirements.txt
As per the report:
Please update to the latest available versions of the following packages:
- protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6)
- protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)
Can you guys update tink to at least use protobuf 3.20.2?
Hi @darkvertex since a6b2384 Tink requires protobuf>=4.21.9
. This will be included in the next release.
Hi @morambro could you please link to the release schedule? I couldn't find any information on when the next (presumably) 1.8.0 release is planned.
We are migrating each library to its own repository. The migration of each library coincides with the next release, which for Tink Python should be complete in Q3/23 (https://github.com/google/tink#tink).