Vulnerability CVE-2020-1971 from use of openssl 1.1.1

landon-kanner commented 1 year ago

🔍 Before submitting the issue

[X] I have searched among the existing issues
[X] I am using a Python virtual environment

🐞 Description of the bug

https://nvd.nist.gov/vuln/detail/CVE-2020-1971

📝 Steps to reproduce

pip install pytwin Run vulnerability scan on resulting venv

💻 Which operating system are you using?

Windows

📀 Which ANSYS version are you using?

none

🐍 Which Python version are you using?

3.10

📦 Installed packages

numpy==1.26.1
pandas==2.1.1
python-dateutil==2.8.2
pytwin==0.5.0
pytz==2023.3.post1
pywin32==306
six==1.16.0
tzdata==2023.3

lboucin commented 11 months ago

Hi @landon-kanner thanks for leveraging this vulnerability issue. Could you please recommend a way to fix it or someone at Ansys that could help us doing so? (@chrpetre FYI)

landon-kanner commented 11 months ago

Hi @lboucin. Please work with @MaxJPRey to remove openssl 1.1.1 from your codebase or document a Compensating Control. I would recommend switching to openssl 3.1.0 or 1.1.1w

MaxJPRey commented 11 months ago

@landon-kanner @lboucin , We will start by upgrading the Python version supported. @landon-kanner I will contact you about this issue.

ansys / pytwin