Potential secutiry vulnerabilities in the shared libraries which pyapr depends on. Can you help upgrade to patch versions? #54
Description
Hi, @cheesema , @joeljonsson , I'd like to report a vulnerability issue in pyapr_0.0.0.4.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph(here just shows vulnerable dependencies), pyapr_0.0.0.4 directly or transitively depends on 8 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libhdf5_serial-211b542f.so.100.0.1 from C project hdf5(version:1.10.0) exposed 14 vulnerabilities:
CVE-2020-10811, CVE-2020-10812, CVE-2020-10810, CVE-2020-10809, CVE-2019-8396, CVE-2018-17437, CVE-2018-17432, CVE-2018-17433, CVE-2018-17434, CVE-2018-17438, CVE-2018-17436, CVE-2018-17233, CVE-2018-17234, CVE-2018-17237
libjpeg-0784ef09.so.62.2.0 from C project libjpeg-turbo(version:1.5.2) exposed 2 vulnerabilities:
CVE-2018-14498, CVE-2017-15232
Suggested Vulnerability Patch Versions
hdf5 has fixed the vulnerabilities in versions >=1.12.1
libjpeg-turbo has fixed the vulnerabilities in versions >=2.0.0
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (pyapr has 2,514 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
MikeWazowski