Hi, @tlambert03 , @VolkerH , I'd like to report a vulnerability issue in nd2_0.2.2.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, nd2_0.2.2 directly or transitively depends on 5 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libjpeg-0784ef09.so.62.2.0from C project libjpeg-turbo(version:1.5.2) exposed 2 vulnerabilities:
CVE-2018-14498, CVE-2017-15232
Suggested Vulnerability Patch Versions
libjpeg-turbo has fixed the vulnerabilities in versions >=2.0.0
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (nd2 has 15,416 downloads per month), could you please upgrade the above shared libraries to their patch versions?
tlambert03
commented
2 years ago
Hi, @tlambert03 , @VolkerH , I'd like to report a vulnerability issue in nd2_0.2.2.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, nd2_0.2.2 directly or transitively depends on 5 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libjpeg-0784ef09.so.62.2.0from C project libjpeg-turbo(version:1.5.2) exposed 2 vulnerabilities: CVE-2018-14498, CVE-2017-15232Suggested Vulnerability Patch Versions
libjpeg-turbo has fixed the vulnerabilities in versions >=2.0.0
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (nd2 has 15,416 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, MikeWazowski