Known vulnerabilities in the C library ncuses which wasmer-compiler depends on.Can you help upgrade to patch versions?
MikeWazoWski123 opened this issue · comments
Hi, @Hywan , @syrusakbary , I'd like to report a vulnerability issue in wasmer-compiler-llvm_1.1.0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, wasmer-compiler-llvm_1.1.0 directly depends on 1 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libtinfo-91270aa7.so.5
from C project ncurses(version:6.1) exposed 5 vulnerabilities:
CVE-2019-17595, CVE-2019-17594, CVE-2018-19217, CVE-2018-19211, CVE-2021-39537
Suggested Vulnerability Patch Versions
ncurses has fixed the vulnerabilities in versions >=6.3
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (wasmer-compiler-llvm has 1,733 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
MikeWazowski