tink 1.7.0 depends on protobuf 3.20.1 which has a security vulnerability patched in a newer version

Question

tink 1.7.0 depends on protobuf 3.20.1 which has a security vulnerability patched in a newer version

darkvertex opened this issue a year ago · comments

tink 1.7.0 for Python depends on protobuf 3.20.1, which has an alleged security vulnerability as per this report from OSV:
https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf

We can see the requirement here: https://github.com/google/tink/blob/1.7/python/requirements.txt

As per the report:

Please update to the latest available versions of the following packages:

protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6)

protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)

Can you guys update tink to at least use protobuf 3.20.2?

Moreno Ambrosin · Answer 1 · Wed Jul 26 2023 18:59:13 GMT+0800 (China Standard Time)

Hi @darkvertex since a6b2384 Tink requires protobuf>=4.21.9. This will be included in the next release.

Nikita Chepanov · Answer 2 · Sat Aug 05 2023 04:51:19 GMT+0800 (China Standard Time)

Hi @morambro could you please link to the release schedule? I couldn't find any information on when the next (presumably) 1.8.0 release is planned.

Moreno Ambrosin · Answer 3 · Mon Aug 14 2023 18:31:35 GMT+0800 (China Standard Time)

We are migrating each library to its own repository. The migration of each library coincides with the next release, which for Tink Python should be complete in Q3/23 (https://github.com/google/tink#tink).

Moreno Ambrosin · Answer 4 · Mon Aug 28 2023 19:04:12 GMT+0800 (China Standard Time)

1.8.0 is out (notes, pypi), which includes a fix for this issue.