Several vulnerabilities in the shared library which opensrp-client-core depends on. Could you help upgrade to patch versions?

Question

Several vulnerabilities in the shared library which opensrp-client-core depends on. Could you help upgrade to patch versions?

HelenParr opened this issue 3 years ago · 0 comments

Hi, @githengi , @ekigamba , I'd like to report a vulnerability issue in org.smartregister:opensrp-client-core:1.2.3.

Issue Description

org.smartregister:opensrp-client-core:1.2.3 depends on 6 C libraries (.so) cross many platforms(such as x86-64,armabi). However, I noticed that one C library is vulnerable, containing the following CVEs:

libsqlcipher_android.so from C project openssl(version:1.0.1e) exposed 19 vulnerabilities:
CVE-2014-0160(Heartbleed), CVE-2021-4044, CVE-2016-7056, CVE-2016-2182, CVE-2016-2181, CVE-2016-2179, CVE-2016-6302, CVE-2016-6303, CVE-2016-2842, CVE-2015-0286, CVE-2015-0206, CVE-2014-8275, CVE-2015-0205, CVE-2014-3508, CVE-2014-3572, CVE-2014-3571, CVE-2020-7043, CVE-2020-7042, CVE-2020-7041

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=1.1.1l

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects.
Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
Helen Parr