tammojan
commented
2 years ago Thanks @JoeGardner000; we're planning to release python-casacore in the next few weeks, we'll make sure to update cfitsio and ncurses in the wheels.
Open JoeGardner000 opened 2 years ago
tammojan
commented
2 years ago Thanks @JoeGardner000; we're planning to release python-casacore in the next few weeks, we'll make sure to update cfitsio and ncurses in the wheels.
Hi, @tammojan , @shibasisp , I'd like to report a vulnerability issue in python-casacore_3.4.0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), python-casacore_3.4.0 directly or transitively depends on 37 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libcfitsio-16f89096.so.2.3.37from C project cfitsio(version:3.370) exposed 2 vulnerabilities: CVE-2018-3848, CVE-2018-3849libncurses-a6f90868.so.5.9libtinfo-10270e32.so.5.9from C project ncurses(version:5.9) exposed 3 vulnerabilities: CVE-2019-17595, CVE-2019-17594, CVE-2021-39537Suggested Vulnerability Patch Versions
cfitsio has fixed the vulnerabilities in versions >=3.490 ncurses has fixed the vulnerabilities in versions >=6.3
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (python-casacore has 4,626 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, Joe Gardner