Known vulnerabilities in shared libraries which taxa-sdk depends on.Can you help upgrade to patch versions? #9
Description
Hi, @taxa-chris , @priestc , I'd like to report a vulnerability issue in taxa-sdk_0.2.6.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph(Here shows part of the dependency graph, which depends on vulnerable shared libraries), taxa-sdk_0.2.6 directly or transitively depends on 87 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
ld-linux-x86-64.so.2 libc.so.6 libcrypt.so.1 libm.so.6 libdl.so.2
libpthread.so.0 libresolv.so.2from C project glibc(version:2.27) exposed 35 vulnerabilities:
CVE-2018-6485, CVE-2017-15804, CVE-2017-15670, CVE-2017-15671, CVE-2017-16997, CVE-2015-8985, CVE-2019-7309,CVE-2020-1751,CVE-2020-10029, CVE-2019-9169,CVE-2019-6488, CVE-2020-6096, CVE-2020-1752,CVE-2016-10228,CVE-2020-27618, CVE-2021-3326,CVE-2021-33574,CVE-2019-25013, CVE-2021-38604,CVE-2021-35942,CVE-2019-19126, CVE-2019-9192,CVE-2018-20796,CVE-2009-5155, CVE-2016-10739,CVE-2018-11237,CVE-2017-18269, CVE-2018-11236,CVE-2018-1000001,CVE-2017-12132, CVE-2017-1000366, CVE-2016-5417,CVE-2016-4429, CVE-2017-12133,CVE-2010-3192,
libasn1.so.8 libgssapi.so.3 libheimntlm.so.0 libroken.so.18 libwind.so.0
libhcrypto.so.4 libheimbase.so.1 libhx509.so.5 libkrb5.so.26 from C project heimdal(version:7.5.0) exposed 4 vulnerabilities:
CVE-2019-12098,CVE-2017-11103,CVE-2017-17439, CVE-2017-6594,
libcrypto.so.1.0.0 libssl.so.1.0.0 libcrypto.so.1.1 libssl.so.1.1from C project openssl(version:1.1.1) exposed 17 vulnerabilities:
CVE-2021-3712, CVE-2020-1968, CVE-2016-8610, CVE-2016-2182, CVE-2016-2181,CVE-2016-2179, CVE-2016-6302, CVE-2016-6303, CVE-2017-3738, CVE-2020-7043, CVE-2020-7042, CVE-2020-7041, CVE-2019-1552, CVE-2021-3711,CVE-2019-1549, CVE-2019-1543,CVE-2018-0735
libcurl.so.4 from C project curl(version:7.58.0) exposed 16 vulnerabilities:
CVE-2021-22926,CVE-2021-22923,CVE-2021-22925, CVE-2021-22922, CVE-2018-1000301,CVE-2018-1000121,CVE-2018-1000122,CVE-2016-9952, CVE-2016-9953, CVE-2018-1000007,CVE-2017-8816, CVE-2017-8817, CVE-2017-1000101, CVE-2016-4802,CVE-2018-1000120, CVE-2018-1000300
libgmp.so.10 from C project gmp(version:6.1.0) exposed 1 vulnerabilities:
CVE-2021-43618
libgssapi_krb5.so.2 libk5crypto.so.3 libkrb5.so.3 libkrb5support.so.0 from C project krb5(version:1.16) exposed 4 vulnerabilities:
CVE-2021-37750,CVE-2021-36222, CVE-2015-8629, CVE-2015-8630,
libnettle.so.6 libhogweed.so.4 libnettle.so.6 libhogweed.so.4 libnettle.so.6from C project nettle(version:3.4) exposed 5 vulnerabilities:
CVE-2016-6489,CVE-2021-3580,CVE-2018-16869, CVE-2021-3580, CVE-2018-16869
libidn.so.11 from C project libidn(version:1.28) exposed 3 vulnerabilities:
CVE-2015-8948,CVE-2016-6261, CVE-2016-6262
libp11-kit.so.0 from C project p11-kit(version:0.23.9) exposed 4 vulnerabilities:
CVE-2020-29361, CVE-2020-29361,CVE-2020-29363, CVE-2020-29362
libsasl2.so.2 from C project cyrus-sasl2(version:2.1.26) exposed 1 vulnerabilities:
CVE-2020-8032
libtasn1.so.6 from C project libtasn1-6(version:4.7) exposed 2 vulnerabilities:
CVE-2018-6003, CVE-2017-10790
libcom_err.so.2 from C project e2fsprogs(version:1.44.1) exposed 2 vulnerabilities:
CVE-2019-5094, CVE-2019-5188
Suggested Vulnerability Patch Versions
glibc has fixed the vulnerabilities in versions >=2.35
heimdal has fixed the vulnerabilities in versions >=7.6.0
curl has fixed the vulnerabilities in versions >=7.78.0
No official patch version released, but gmp has fixed the vulnerability in patch
krb5 has fixed the vulnerabilities in versions >=1.19.3
nettle has fixed the vulnerabilities in versions >=3.7.3
libidn has fixed the vulnerabilities in versions >=1.33
p11-kit has fixed the vulnerabilities in versions >=0.23.22
cyrus-sasl2 has fixed the vulnerabilities in versions >=2.1.28
libtasn1-6 has fixed the vulnerabilities in versions >=4.13
e2fsprogs has fixed the vulnerabilities in versions >=1.46.5
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package, could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
MikeWazowski