Closed mikeckennedy closed 2 years ago
this issue ideally shouldn't be closed till their is a release, as it affects every user of this library and they can't do anything about it till a release exists.
Hi @kapilt I've reopened this issue. The fix will included in the next release on 11/17/21.
Any chance this could be released sooner so we can honor SOC2 Vuln fix SLA without pinning dependency?
An earlier security release addressing CVE-2021-43572 would be much appreciated!
I've had to patch my requirements.txt in the interim:
sendgrid @ git+https://github.com/sendgrid/sendgrid-python.git@main # tracking main to avoid a vulnerability, can then be pinned for sendgrid>6.9.0
starkbank-ecdsa>=2.0.1 # not directly required, used by sendgrid, pinned to avoid vulnerability CVE-2021-43572
Thanks for your patience everyone! The fix should be included in v6.9.1 of the Sendgrid-python library.
Github has alerted us that our project has a high-severity vulnerability
starkbank-ecdsa
version 1.1.1. The requirements file here forces us to install it (seerequirements.txt
):Please fix this so we don't have to install this library to use sendgrid.
From the github alert:
PS - what does it use this library anyway? Seems odd that an email library depends on bank software.