Potential secutiry vulnerabilities in the C library which pysurvive depends on. Can you help upgrade to patch versions?

Question

Potential secutiry vulnerabilities in the C library which pysurvive depends on. Can you help upgrade to patch versions?

JoeGardner000 opened this issue 3 years ago · 0 comments

Hi, @axlecrusher , @mwturvey , I'd like to report a vulnerability issue in pysurvive_1.1.3.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), pysurvive_1.1.3 directly or transitively depends on 14 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libudev-9a7475a2.so.1.6.2from C project systemd(version:<=229) exposed 24 vulnerabilities:
CVE-2018-15686, CVE-2018-15688, CVE-2018-15687, CVE-2018-16866, CVE-2018-16865, CVE-2018-16864, CVE-2021-33910, CVE-2020-1712, CVE-2020-13776, CVE-2019-3843, CVE-2019-3844, CVE-2019-3842, CVE-2018-16888, CVE-2018-6954, CVE-2017-18078, CVE-2018-1049, CVE-2017-1000082, CVE-2017-9445, CVE-2016-7796, CVE-2016-7795, CVE-2017-9217, CVE-2013-4392, CVE-2019-20386, CVE-2017-15908

Suggested Vulnerability Patch Versions

systemd has fixed the vulnerabilities in versions >=250

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (pysurvive has 57,306 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
Joe Gardner