Vulnerability CVE-2022-37434 from use of madler-zlib 1.2.12

landon-kanner commented 1 year ago

🔍 Before submitting the issue

[X] I have searched among the existing issues
[X] I am using a Python virtual environment

🐞 Description of the bug

https://nvd.nist.gov/vuln/detail/CVE-2022-37434

📝 Steps to reproduce

pip install pytwin Scan the resulting venv. The following vulnerability is found from use of madler-zlib 1.2.12 https://nvd.nist.gov/vuln/detail/CVE-2022-37434

💻 Which operating system are you using?

Windows

📀 Which ANSYS version are you using?

N/A

🐍 Which Python version are you using?

3.10

📦 Installed packages

numpy==1.26.1
pandas==2.1.1
python-dateutil==2.8.2
pytwin==0.5.0
pytz==2023.3.post1
pywin32==306
six==1.16.0
tzdata==2023.3

lboucin commented 11 months ago

Hi @landon-kanner thanks for leveraging this vulnerability issue. Could you please recommend a way to fix it or someone at Ansys that could help us doing so? (@chrpetre FYI)

landon-kanner commented 11 months ago

Hi @lboucin. Please work with @MaxJPRey to remove zlib 1.2.12 from your codebase or document a Compensating Control. I would recommend switching to zlib 1.2.12.1

ansys / pytwin