`fiona==1.9.6` CVEs

[kukushking]

Hi current latest version of the library fiona==1.9.6 contains the following CVEs:

https://nvd.nist.gov/vuln/detail/CVE-2023-45853 https://nvd.nist.gov/vuln/detail/CVE-2020-14152

Please release a patched version asap. Thank you.

[sgillies]

Please see https://github.com/Toblerity/Fiona/security/advisories. These have been reported and solutions are on the way. Neither are very dangerous in the Fiona case.

To be clear: the Fiona project itself does not contain those vulnerabilities. This repo does not contain any TIFF or JPEG code. Fiona 1.9.6 wheels published on PyPI do include vulnerable versions of libtiff and libjpeg. Fiona 1.10b1, 1.10b2, and 1.10b3 wheels on PyPI include versions of tibtiff and libjpeg which are not vulnerable.

[kukushking]

@sgillies is it safe to use beta releases for production? When is the major release with the patch going to be available?

[sgillies]

@kukushking I don't think anyone should be relying on the PyPI wheels for production. They don't have very many formats enabled, for example.

Fiona 1.10b3 has some new features and some refactoring, but also fixes a lot of bugs. It is probably fine for a lot of applications.

That said, I think the 1.9.6 wheels remain safe to use. fiona.open() will not directly open TIFFs or JPEGs. It might indirectly cause PROJ to read datum grids stored as GeoTIFFs. But those datum grids would be specified by you, not by any vector data files you open.