Vulnerable shared libraries might make cyvcf2 vulnerable. Can you help upgrade to patch versions?

[MikeWazoWski123]

Hi, @brentp , @tomwhite , I'd like to report a vulnerability issue in cyvcf2_0.30.15.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph, cyvcf2_0.30.15 directly or transitively depends on 9 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs: libcrypto-0e720ae1.so.1.1.1k and libssl-66b6abf4.so.1.1.1k from C project openssl(version:<=1.1.1k) exposed 5 vulnerabilities: CVE-2021-3711, CVE-2021-3712, CVE-2020-7043, CVE-2020-7042, CVE-2020-7041 libssh2-7d24a326.so.1.0.1 from C project libssh2(version:1.9.0) exposed 1 vulnerabilities: CVE-2019-17498

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=1.1.1l libssh2 has fixed the vulnerabilities in versions >=1.10.0

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (cyvcf2 has 81,083 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Andy

[brentp]

Hi, sorry for the delay. Is this still an issue? We are using github workflows to build: https://github.com/brentp/cyvcf2/actions/workflows/wheels.yml Do you have some guidance on changes? I assume these have been updated in ubuntu?

[SCH227]

It seems this is still an issue, cyvcf2 0.30.22 on PyPI (latest) includes the vulnerable libraries: https://inspector.pypi.io/project/cyvcf2/0.30.22/packages/06/b2/f569ff8e7b420e3cc09e1927eaae306a41021e64174ef78d98dea27858e2/cyvcf2-0.30.22-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl/

[SCH227]

Also, cyvcf2 0.30.22 ships with a version of libcurl that is vulnerable to a High severity vulnerability. More details here: https://github.com/curl/curl/discussions/12026