Hi, @saimn , @laurepiq , I'd like to report a vulnerability issue in mpdaf_3.5.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, mpdaf_3.5 directly or transitively depends on 2 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libcfitsio-c3c748ae.so.2.3.37 from C project cfitsio(version:3.37) exposed 2 vulnerabilities:
CVE-2018-3848, CVE-2018-3849
Suggested Vulnerability Patch Versions
cfitsio has fixed the vulnerabilities in versions >=3.49
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (mpdaf has 3,606 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Hi, @saimn , @laurepiq , I'd like to report a vulnerability issue in mpdaf_3.5.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, mpdaf_3.5 directly or transitively depends on 2 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libcfitsio-c3c748ae.so.2.3.37
from C project cfitsio(version:3.37) exposed 2 vulnerabilities: CVE-2018-3848, CVE-2018-3849Suggested Vulnerability Patch Versions
cfitsio has fixed the vulnerabilities in versions >=3.49
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (mpdaf has 3,606 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, Andy