Hi, @ThomasLeMezo , I'd like to report a vulnerability issue in pyinvariant_0.6.
Dependency Graph between Python and Shared Libraries
![image](https://user-images.githubusercontent.com/102780639/161524331-678c84b1-bebc-48b2-8f0b-6afbf6f46da3.png)
Issue Description
As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), pyinvariant_0.6 directly or transitively depends on 33 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libgssapi_krb5-0f360511.so.2.2
, libkrb5-0926b880.so.3.3
and libk5crypto-d17c94d0.so.3.1
from C project krb5(version:1.16) exposed 2 vulnerabilities:
CVE-2021-37750, CVE-2021-36222
libhdf5_hl-e57be49e.so.200.0.0
from C project hdf5(version:1.10.6) exposed 4 vulnerabilities:
CVE-2020-10811, CVE-2020-10812, CVE-2020-10810, CVE-2020-10809
libidn-97d26f25.so.11.6.11
from C project libidn(version:1.28) exposed 3 vulnerabilities:
CVE-2015-8948, CVE-2016-6261, CVE-2016-6262
Suggested Vulnerability Patch Versions
krb5 has fixed the vulnerabilities in versions >=1.19.3
hdf5 has fixed the vulnerabilities in versions >=1.12.1
libidn has fixed the vulnerabilities in versions >=1.33
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (pyinvariant has 1,231 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
MikeWazowski