search

ParallelSSH / ssh2-python

Python bindings for libssh2 C library.
https://parallel-ssh.org
GNU Lesser General Public License v2.1
228 stars 70 forks source link

Upgrade embedded OpenSSL to latest stable version #171

Closed MikeWazoWski123 closed 1 year ago

MikeWazoWski123 commented 2 years ago

Hi, @pkittenis , @eliwe , I'd like to report a vulnerability issue in ssh2-python_0.27.0.

Dependency Graph between Python and Shared Libraries

image 简略

Issue Description

As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), ssh2-python_0.27.0 directly or transitively depends on 31 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs: libcrypto-1ec32304.so.1.1 and libssl-369a9b5d.so.1.1 from C project openssl(version:1.1.1f) exposed 5 vulnerabilities: CVE-2021-3711, CVE-2021-3712, CVE-2020-7043, CVE-2020-7042, CVE-2020-7041,

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=1.1.1l

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (ssh2-python has 339,740 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Andy

pkittenis commented 2 years ago

Thanks for the interest and report.

Packaging changes to update embedded OpenSSL version.

MikeWazoWski123 commented 2 years ago

@pkittenis . Thanks for your help.

By the way, is the diagnosis information useful to you? I am happy to know that :)

pkittenis commented 2 years ago

Absolutely, very useful, thank you.

Out of interest, how did you generate the report? I'd be interested in something automated that notifies of vulnerabilities in the C libraries we use.

As you say, python build tools cannot figure out C level dependencies for security checking.

MikeWazoWski123 commented 2 years ago

@pkittenis, Thanks for your answer.

Out of interest, how did you generate the report? I'd be interested in something automated that notifies of vulnerabilities in the C libraries we use.

Our team developed a tool to detect the vulnerability issues induced via cross-language invocations. Thanks for your interests. I will share you a link when we make it open-source.

As you say, python build tools cannot figure out C level dependencies for security checking.

Do you realize the vulnerability issues introduced by C libraries before?

pkittenis commented 2 years ago

All security libraries can have vulnerabilities. Whether we use them via C or higher level python libraries does not change anything. Without automated reporting, we rely on people reporting any vulnerabilities.

pkittenis commented 1 year ago

Resolved by 1.0.0.