Several vulnerabilities in the C library which pytraj depends on. Could you help upgrade to patch versions?
JoeGardner000 opened this issue · 3 comments
Hi, @hainm , @swails , I'd like to report a vulnerability issue in pytraj_2.0.5.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), pytraj_2.0.5 directly or transitively depends on 35 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libidn-b9d21c09.so.11.5.19from C project libidn(version:1.28) exposed 3 vulnerabilities:
CVE-2015-8948, CVE-2016-6261, CVE-2016-6262
Suggested Vulnerability Patch Versions
libidn has fixed the vulnerabilities in versions >=1.33
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (pytraj has 5,580 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Joe Gardner
I have no idea what you are talking about and your account is quite new. So I close this issue.
CVEs are tracked vulnerabilities in commonly used software. Three of them affect shared libraries that pytraj currently links to/brings in (@JoeGardner000 I assume this is conda-forge? PyPI? What repository are you talking about?).
It would be best to rebuild the binary pytraj distribution to link to newer versions of the libraries (should just require minting a new build of pytraj and libcpptraj within conda).
@swails , thanks for your help.
I assume this is conda-forge? PyPI? What repository are you talking about?).
I download pytraj from PyPI repository.
Best regards,
Joe Gardner