Vulnerable shared libraries might make python-mbedtls vulnerable. Can you help upgrade to patch versions?

[JoeGardner000]

Hi, @Synss , @stepheny , I'd like to report a vulnerability issue in python-mbedtls_1.7.0.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), python-mbedtls_1.7.0 directly or transitively depends on 8 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs: libmbedcrypto-ac73041f.so.3 ,libmbedtls-47606ffb.so.12 and libmbedx509-91f761cc.so.0 from C project mbedtls(version:2.16.11) exposed 2 vulnerabilities: CVE-2021-45451, CVE-2021-45450

Suggested Vulnerability Patch Versions

mbedtls has fixed the vulnerabilities in versions >=3.1.0

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (python-mbedtls has 15,250 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Joe Gardner

[Synss]

Hi! Thank you for your report. Going for 2.28.0 the latest LTS would be very easy. I have not tried 3.1.0 yet.

[Synss]

I would very much prefer to keep tracking LTS versions of the backend. CVE-2021-45450 is fixed in 2.28.0 so I can make a new release with that version of the backend in the next few days. In the meantime, I will see if ARM publishes a 2.28.1 with a fix for the other vulnerability and make a new release if they do.

Otherwise, I will start working on supporting the newer versions.

[Synss]

I just released a new version of the library with a 2.28.0 backend. I will not be able to support non-LTS versions of mbedTLS so we will have to wait for them to fix CVE-2021-45451 there.