Closed JoeGardner000 closed 2 years ago
Hi! Thank you for your report. Going for 2.28.0 the latest LTS would be very easy. I have not tried 3.1.0 yet.
I would very much prefer to keep tracking LTS versions of the backend. CVE-2021-45450 is fixed in 2.28.0 so I can make a new release with that version of the backend in the next few days. In the meantime, I will see if ARM publishes a 2.28.1 with a fix for the other vulnerability and make a new release if they do.
Otherwise, I will start working on supporting the newer versions.
I just released a new version of the library with a 2.28.0 backend. I will not be able to support non-LTS versions of mbedTLS so we will have to wait for them to fix CVE-2021-45451 there.
Hi, @Synss , @stepheny , I'd like to report a vulnerability issue in python-mbedtls_1.7.0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), python-mbedtls_1.7.0 directly or transitively depends on 8 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libmbedcrypto-ac73041f.so.3
,libmbedtls-47606ffb.so.12
andlibmbedx509-91f761cc.so.0
from C project mbedtls(version:2.16.11) exposed 2 vulnerabilities: CVE-2021-45451, CVE-2021-45450Suggested Vulnerability Patch Versions
mbedtls has fixed the vulnerabilities in versions >=3.1.0
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (python-mbedtls has 15,250 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, Joe Gardner