requests-kerberos icon indicating copy to clipboard operation
requests-kerberos copied to clipboard

Published 20 hours ago verified publisher icon requests

https://pypi.org/project/kerberos/ contains known vulns and is abandoned

Open dlangille opened this issue 1 year ago • 1 comments
trafficstars

Hello,

From what I've seen https://pypi.org/project/kerberos/ contains known vulns[1] and is abandoned[2].

Given that situation, is there something else we can use for the requirements of requests-kerberos?

[1] - https://osv.dev/vulnerability/PYSEC-2017-49 [2]- "This repository has been archived by the owner on Feb 24, 2024. It is now read-only." https://github.com/apple/ccs-pykerberos

dlangille avatar Apr 10 '24 15:04 dlangille

There are a few things to address here

  • This library never called checkPassword so that CVE doesn't apply here
  • https://github.com/requests/requests-kerberos/commit/5dfe4b0cdfe5158d81f6644e07862087d4e6f007 changed the dep so it's no longer using kerberos/pykerberos
  • requests-gssapi was originally designed as a replacement to this library with a new dependency as well

jborean93 avatar Apr 10 '24 19:04 jborean93