tink 1.7.0 depends on protobuf 3.20.1 which has a security vulnerability patched in a newer version

tink-crypto / tink

Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

https://developers.google.com/tink

Apache License 2.0

13.47k stars 1.18k forks source link

tink 1.7.0 depends on protobuf 3.20.1 which has a security vulnerability patched in a newer version #708

Closed darkvertex closed 12 months ago

darkvertex commented 1 year ago

tink 1.7.0 for Python depends on protobuf 3.20.1, which has an alleged security vulnerability as per this report from OSV: https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf

We can see the requirement here: https://github.com/google/tink/blob/1.7/python/requirements.txt

As per the report:

Please update to the latest available versions of the following packages:

protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6)

protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)

Can you guys update tink to at least use protobuf 3.20.2?

morambro commented 1 year ago

Hi @darkvertex since https://github.com/google/tink/commit/a6b2384a5d98f6770523d0bf855867193235e025 Tink requires protobuf>=4.21.9. This will be included in the next release.

nchepanov commented 1 year ago

Hi @morambro could you please link to the release schedule? I couldn't find any information on when the next (presumably) 1.8.0 release is planned.

morambro commented 1 year ago

We are migrating each library to its own repository. The migration of each library coincides with the next release, which for Tink Python should be complete in Q3/23 (https://github.com/google/tink#tink).

morambro commented 12 months ago

1.8.0 is out (notes, pypi), which includes a fix for this issue.