Closed andy201709 closed 1 year ago
I believe this has been resolved in 2.2.3, which uses a patched version of gmp.
Not that it matters, but I'm not sure 6,500 downloads a month is even close to correct. I'd be surprised if it's 6,500 ever, judging by these stats: https://pypistats.org/packages/asmc-preparedecoding
Hi, @fcooper8472 , @abhidg , I'd like to report a vulnerability issue in asmc-preparedecoding_2.2.2.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, asmc-preparedecoding_2.2.2 directly or transitively depends on 3 C libraries (.so). However, I noticed that one of C libraries is vulnerable, containing the following CVEs:
libgmp-afec2dd4.so.10.2.0
from C project gmp(version: 6.2.0) exposed a vulnerability:CVE-2021-43618
Suggested Vulnerability Patch Versions
No official patch version released, but gmp has fixed the vulnerability in patch.
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (asmc-preparedecoding has 6,524 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, Andy