CVE in curve25519-dalek 4.1.2 : GHSA-x4gp-pqpj-f43q - Githubissues

astral-sh / rye

a Hassle-Free Python Experience

https://rye.astral.sh

MIT License

13.6k stars 466 forks source link

CVE in curve25519-dalek 4.1.2 : GHSA-x4gp-pqpj-f43q #1306

Closed ajayk closed 1 month ago

ajayk commented 1 month ago

Steps to Reproduce

We recently enabled auditable builds , Rye was flagged for CVE here https://github.com/wolfi-dev/os/actions/runs/10209182098/job/28246915328

Run wolfictl scan \
🔎 Scanning "/tmp/artifacts-1/packages/x86_64/rye-0.38.0-r0.apk"
└── 📄 /usr/bin/rye
        📦 curve25519-dalek 4.1.2 (rust-crate)
            Medium GHSA-x4gp-pqpj-f43q fixed in 4.1.3

Expected Result

update curve25519-dalek to 4.1.3

Actual Result

Attached scanner results above

Version Info

0.38.0

Stacktrace

No response