python-swat icon indicating copy to clipboard operation
python-swat copied to clipboard

Published 20 hours ago verified publisher icon sassoftware

Redistributed TK libraries include out of date zlib

Open scw opened this issue 1 year ago • 4 comments

The copies of zlib included in tkcop.dll and tkezlib.dll rely on the 1.2.13 versions of the package, where the current version is 1.3.1: image

Because SWAT and TK don't directly expose the tool which has a critical vulnerability, the high priority CVE isn't directly relevant, but it would still be great to resync so that security scanners and other consumers don't flag the package.

scw avatar Mar 18 '24 15:03 scw

Working with SAS support, they closed the internal issue and said this public facing one was the right place to get this issue addressed. Can a contributor to the python-swat package please triage this issue? It is still present in the latest 1.15.0 wheels:

Image

scw avatar Feb 05 '25 21:02 scw

@bkemper24 Is this something that can be evaluated for inclusion in a future release?

scw avatar Feb 14 '25 20:02 scw

I'm looking into this, but I don't have any information so far.

bkemper24 avatar Feb 14 '25 20:02 bkemper24

@bkemper24 Thanks for looking into this. I'd love if we could get this addressed in the TK libraries.

scw avatar Apr 07 '25 16:04 scw

The TK libraries included in V1.16.0 contain an updated tkcop and tkezlib.

bkemper24 avatar Aug 22 '25 14:08 bkemper24

@bkemper24 Thanks! Marking this as closed, can confirm 1.16.0 includes zlib 1.3.1 in its TK library versions.

scw avatar Aug 22 '25 17:08 scw