Potential secutiry vulnerabilities in the shared libraries which pyapr depends on. Can you help upgrade to patch versions?

Question

Potential secutiry vulnerabilities in the shared libraries which pyapr depends on. Can you help upgrade to patch versions?

MikeWazoWski123 opened this issue 3 years ago · 0 comments

Hi, @cheesema , @joeljonsson , I'd like to report a vulnerability issue in pyapr_0.0.0.4.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph(here just shows vulnerable dependencies), pyapr_0.0.0.4 directly or transitively depends on 8 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libhdf5_serial-211b542f.so.100.0.1 from C project hdf5(version:1.10.0) exposed 14 vulnerabilities:
CVE-2020-10811, CVE-2020-10812, CVE-2020-10810, CVE-2020-10809, CVE-2019-8396, CVE-2018-17437, CVE-2018-17432, CVE-2018-17433, CVE-2018-17434, CVE-2018-17438, CVE-2018-17436, CVE-2018-17233, CVE-2018-17234, CVE-2018-17237
libjpeg-0784ef09.so.62.2.0 from C project libjpeg-turbo(version:1.5.2) exposed 2 vulnerabilities:
CVE-2018-14498, CVE-2017-15232

Suggested Vulnerability Patch Versions

hdf5 has fixed the vulnerabilities in versions >=1.12.1
libjpeg-turbo has fixed the vulnerabilities in versions >=2.0.0

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (pyapr has 2,514 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
MikeWazowski