fedora-workstation

Clone
Source Code
GIT

#413 [Security] Lacking update strategy/monitoring for vulnerable python packages
Closed: Won't fix 2 months ago by catanzaro. Opened 2 months ago by maureece.

Closed: Won't fix
Reopen Issue

On a fresh Fedora WS installation (after having installed updates via Gnome Software and rebooting once), do:

  • sudo dnf install python3-pip
  • pip install pip-audit
  • pip-audit

The result: 4 modules with 7 vulnerabilities overall. The affected modules are:

  • beaker (1.12.1): PYSEC-2020-216
  • cryptography (41.0.3): GHSA-3ww4-gg4f-jr7f, GHSA-v8gr-m533-ghj9, GHSA-jfhm-5ghh-2f97 (newer versions with fixes available)
  • pip (23.2.1): PYSEC-2023-228 (newer version with fix available)
  • pycrypto (2.6.1): PYSEC-2017-94, PYSEC-2018-97 [No idea where this came from]

On a more "dirty" F39 installation, pip audit found two more vulnerable modules, both of which had newer versions with fixes available. It was not transparent which of these were "system-installed" and which were user-installed/ installed as dependencies of packages that were user-installed. The modules in question were certifi (2023.5.7; affected by PYSEC-2023-135; fixed version available) and pycryptodomex (3.19.0; affected by PYSEC-2024-3; fixed version available).

On an older, even "dirtier" F38 installation, pip audit found significantly more vulnerable modules; for example:

  • aiohttp (3.8.4): PYSEC-2024-24, PYSEC-2023-120, PYSEC-2023-250, PYSEC-2023-251, PYSEC-2023-246, PYSEC-2024-26, GHSA-pjjw-qhg8-p2p9 (newer versions with fixes available)
  • certifi (2022.9.24): PYSEC-2022-42986, PYSEC-2023-135 (newer versions with fixes available)
  • cryptography (37.0.2): GHSA-39hc-v87j-747x, GHSA-w7pp-m8wf-vj6r, GHSA-x4qr-2fvf-3mr5, GHSA-5cpq-8wj7-hf2v, GHSA-jm77-qphf-c4w8, GHSA-3ww4-gg4f-jr7f, GHSA-v8gr-m533-ghj9, GHSA-jfhm-5ghh-2f97 (newer versions with fixes available)
  • pillow (9.5.0): PYSEC-2023-175, PYSEC-2023-227, GHSA-3f63-hfp8-52jq, GHSA-j7hp-h8jx-5ppr, GHSA-56pw-mpj4-fxww (newer versions with fixes available)
  • pip (22.3.1): PYSEC-2023-228 (newer version with fix available)
  • pycryptodomex (3.19.0): PYSEC-2024-3 (newer version with fix available)
  • yt-dlp (2023.10.7): GHSA-3ch3-jhc6-5r8x (newer version with fix available)

To me, this looks like a systematic problem of maintainers not updating python modules, and a lack of monitoring thereof.

Hi, this is basically the issue tracker for desktop-related issues. We don't have anything to do with the python stack.

Hi @churchyard, is there a better place to track this problem?

Use bugzilla. If you want an umbrella one, use the distribution component and treat a tracker bug that blocks the bugzillas for the individual packages.

Couple notes for packages I am involved with:

cryptography (41.0.3): GHSA-3ww4-gg4f-jr7f, GHSA-v8gr-m533-ghj9, GHSA-jfhm-5ghh-2f97 (newer versions with fixes available)

Probably fixed in https://bodhi.fedoraproject.org/updates/FEDORA-2024-91f5df4002

pip (23.2.1): PYSEC-2023-228 (newer version with fix available)

This is CVE-2023-5752. We never got a python-pip bugzilla from prodsec for this :( See https://bugzilla.redhat.com/show_bug.cgi?id=2250765#c6

certifi (2022.9.24): PYSEC-2022-42986, PYSEC-2023-135 (newer versions with fixes available)

Fedora's certifi is patched to use system certificates and hence not affected.
Edited 2 months ago by churchyard

Use bugzilla.

Try this. :)
Edited 2 months ago by catanzaro

Metadata Update from @catanzaro:
- Issue close_status updated to: Won't fix
- Issue status updated to: Closed (was: Open)
2 months ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.