lpsinger
commented
2 years ago Thanks! This will be fixed in the next release. See https://git.ligo.org/lscsoft/lalsuite-manylinux/-/merge_requests/25.
Closed MikeWazoWski123 closed 2 years ago
lpsinger
commented
2 years ago Thanks! This will be fixed in the next release. See https://git.ligo.org/lscsoft/lalsuite-manylinux/-/merge_requests/25.
Hi, @lpsinger , @titodalcanton , I'd like to report a vulnerability issue in ligo-skymap_0.6.1.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), ligo-skymap_0.6.1 directly or transitively depends on 3 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libcfitsio-16f89096.so.2.3.37from C project cfitsio(version:3.370) exposed 2 vulnerabilities: CVE-2018-3848,CVE-2018-3849Suggested Vulnerability Patch Versions
cfitsio has fixed the vulnerabilities in versions >=3.49
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (ligo-skymap has 28,526 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, MikeWazowski