Vulnerable shared libraries might make pygit2 vulnerable. Can you help upgrade to patch versions? #1136
Comments
|
The version of openssl in the wheel is the one from Centos 7, which already has some security patches, specifically the latest release includes https://centos.pkgs.org/7/centos-updates-x86_64/openssl-1.0.2k-24.el7_9.x86_64.rpm.html If this is not enough we could switch from manylinux2014 to manylinux_2_24 wheels, which is based on Debian 9 and has a more recent version of the libraries. This would however make it harder to install pygit2 wheels, since it would require a more recent version of pip. |
|
@jdavid, thanks for your help and feedback.
Compatibility or security? It is really hard to chose. Best regards, |
|
Yes it's useful. So there are some vulnerabilities not addressed by the Centos package, yet Centos 7 is still maintained, and the package maintainers decided not to patch those vulnerabilities. Upgrading to manylinux_2_24 should address some issues, but probably not all. For reference these are the versions in the latest pygit2 release:
In Debian 9 we have:
|
|
@jdavid (cc @howbazaar) security issues from bundling a CentOS patched version of an EOL security library aside, this is also a regression from a functional perspective - there are numerous features and bug fixes that exist in OpenSSL 1.1.x that are not present in OpenSSL 1.0.2. This includes certificate chain verification fixes (#1115) and support for ed25519 (#1143). Bundling OpenSSL 1.0.2 is effectively taking the lowest common denominator and forcing it upon everyone who uses these wheels, even if they are being used on a modern system that has better functionality and security maintenance available. |
|
Yes, OpenSSL should not be included in the wheels, and instead the system library should be used. |
|
The latest release v1.11.1 is based on manylinux 2_24 and includes openssl 1.1 |
|
Just an FYI, switching to manylinux_2_24 broke wheel compatibility with RHEL 7, which uses glibc 2.17. I now have to manually build openssl11, libssh2, libgit2, & pygit2 wheels in manylinux2014 to maintain pygit2 for our internal projects that are deployed to OEL7 hosts. |
Hi, @jdavid , @carlosmn , I'd like to report a vulnerability issue in pygit2_1.9.1.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), pygit2_1.9.1 directly or transitively depends on 15 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libcrypto-17bcacf6.so.1.0.2kandlibssl-53a623ad.so.1.0.2kfrom C project openssl(version:1.0.2k) exposed 11 vulnerabilities:CVE-2018-0732, CVE-2019-1559, CVE-2019-1547, CVE-2019-1563, CVE-2019-1551, CVE-2020-1971, CVE-2021-23841, CVE-2020-1968, CVE-2018-0734, CVE-2017-3736, CVE-2019-1552
libgssapi_krb5-497db0c6.so.2.2,libk5crypto-b1f99d5c.so.3.1andlibkrb5-fc820a1d.so.3.3from C project krb5(version:1.16) exposed 2 vulnerabilities:CVE-2021-37750,CVE-2021-36222
Suggested Vulnerability Patch Versions
openssl has fixed the vulnerabilities in versions >=1.1.1l
krb5 has fixed the vulnerabilities in versions >=1.19.3
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (pygit2 has 630,559 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
MikeWazowski
The text was updated successfully, but these errors were encountered: