Upgrade embedded OpenSSL to latest stable version
MikeWazoWski123 opened this issue · 6 comments
Hi, @pkittenis , @eliwe , I'd like to report a vulnerability issue in ssh2-python_0.27.0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), ssh2-python_0.27.0 directly or transitively depends on 31 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libcrypto-1ec32304.so.1.1
and libssl-369a9b5d.so.1.1
from C project openssl(version:1.1.1f) exposed 5 vulnerabilities:
CVE-2021-3711, CVE-2021-3712, CVE-2020-7043, CVE-2020-7042, CVE-2020-7041,
Suggested Vulnerability Patch Versions
openssl has fixed the vulnerabilities in versions >=1.1.1l
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (ssh2-python has 339,740 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Andy
Thanks for the interest and report.
Packaging changes to update embedded OpenSSL version.
@pkittenis . Thanks for your help.
By the way, is the diagnosis information useful to you? I am happy to know that :)
Absolutely, very useful, thank you.
Out of interest, how did you generate the report? I'd be interested in something automated that notifies of vulnerabilities in the C libraries we use.
As you say, python build tools cannot figure out C level dependencies for security checking.
@pkittenis, Thanks for your answer.
Out of interest, how did you generate the report? I'd be interested in something automated that notifies of vulnerabilities in the C libraries we use.
Our team developed a tool to detect the vulnerability issues induced via cross-language invocations.
Thanks for your interests. I will share you a link when we make it open-source.
As you say, python build tools cannot figure out C level dependencies for security checking.
Do you realize the vulnerability issues introduced by C libraries before?
All security libraries can have vulnerabilities. Whether we use them via C or higher level python libraries does not change anything. Without automated reporting, we rely on people reporting any vulnerabilities.
Resolved by 1.0.0.