Known vulnerabilities in the C library util-linux which pycreds depends on.Can you help upgrade to patch versions?

Question

Known vulnerabilities in the C library util-linux which pycreds depends on.Can you help upgrade to patch versions?

MikeWazoWski123 opened this issue 3 years ago · 0 comments

Hi, @kumaraditya303 , I'd like to report a vulnerability issue in pycreds_1.0.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), pycreds_1.0 directly or transitively depends on 12 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libblkid-d063c269.so.1.1.0 ,libmount-47421e17.so.1.1.0 and libuuid-3008367f.so.1.3.0 from C project util-linux(version:2.27.1) exposed 3 vulnerabilities:
CVE-2018-7738, CVE-2021-37600, CVE-2016-5011

Suggested Vulnerability Patch Versions

util-linux has fixed the vulnerabilities in versions >=2.37.2

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (pycreds has 4,858 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
MikeWazowski