Could you help upgrade the vulnerble dependency in terracotta ?
JoeGardner000 opened this issue · 4 comments
Hi, @dionhaefner , @mrpgraae , I'd like to report a vulnerability issue in terracotta_0.7.5.
Issue Description
I noticed that terracotta_0.7.5 directly depends on rasterio_1.2.10.
However, rasterio_1.2.10 sufferes from the vulnerabilites which the C libraries exposed as following dependency graph shows.
Dependency Graph between Python and Shared Libraries
Suggested Vulnerability Patch Versions
rasterio has upgraded these vulnerable C libraries to patch versions refer to issue url.
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (terracotta has 1,074 downloads per month), could you please upgrade this vulnerable dependency?
Thanks for your help~
Best regards,
Joe Gardner
Thanks for the report.
I noticed that terracotta_0.7.5 directly depends on rasterio_1.2.10.
Where did you get that from? We do not depend on any specific version of rasterio, the only requirement is >=1.0. I guess we could exclude 1.2.10 if it is the only vulnerable version, but I assume that rasterio has been using the same HDF5 version for quite a while?
Also, I see no indication that this is fixed in recent rasterio wheels. The build repo still seems to use the same version:
https://github.com/rasterio/rasterio-wheels/blob/master/env_vars.sh#L15
@dionhaefner , thanks for your feedback.
Also, I see no indication that this is fixed in recent rasterio wheels.
Rasterio has upgrade HDF5 to patch version in master, may release in the next version.
OK, let's wait for the next release then and see what happens.
Bumped rasterio to 1.3 on master, so this should be fixed.