Closed MikeWazoWski123 closed 2 years ago
medaka wheels are created using the manylinux2010 (2014 for ARM64) toolset and so their binary dependencies are governed by libraries available within this build environment. The dependency on libcurl extending to libcrypto stems from use within htslib for reading data across a network. This is not a typical usecase for medaka and so is not considered a critical vunerability.
We will investigate disabling the libcurl functionality.
@cjw85, Thanks for your kindly feedback. Hope this information can help for finding vulnerable binary dependencies.
Best regards, MikeWazowski
Hi, @cjw85 , @mwykes , I'd like to report a vulnerability issue in medaka_1.6.0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), medaka_1.6.0 directly or transitively depends on 24 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libcrypto-142cf8a3.so.1.0.1e
from C project openssl(version:<=1.0.1f) exposed 18 vulnerabilities: CVE-2021-4044,CVE-2016-7056,CVE-2016-2182,CVE-2016-2181,CVE-2016-2179,CVE-2016-6302,CVE-2016-6303,CVE-2016-2842,CVE-2015-0286,CVE-2015-0206,CVE-2014-8275,CVE-2015-0205,CVE-2014-3508,CVE-2014-3572,CVE-2014-3571,CVE-2020-7043CVE-2020-7042,CVE-2020-7041,libidn-0c8ed23f.so.11.6.1
from C project libidn(version:1.28) exposed 3 vulnerabilities: CVE-2015-8948,CVE-2016-6261,CVE-2016-6262libk5crypto-ab4ddf4c.so.3.1
from C project krb5(version:1.13.2) exposed 4 vulnerabilities: CVE-2021-37750,CVE-2021-36222,CVE-2015-8629,CVE-2015-8630Suggested Vulnerability Patch Versions
openssl has fixed the vulnerabilities in versions >=3.0.1 libidn has fixed the vulnerabilities in versions >=1.33 krb5 has fixed the vulnerabilities in versions >=1.19.3
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (medaka has 16,009 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, MikeWazowski