On a fresh Fedora WS installation (after having installed updates via Gnome Software and rebooting once), do:
sudo dnf install python3-pip
pip install pip-audit
pip-audit
The result: 4 modules with 7 vulnerabilities overall. The affected modules are:
On a more "dirty" F39 installation, pip audit found two more vulnerable modules, both of which had newer versions with fixes available. It was not transparent which of these were "system-installed" and which were user-installed/ installed as dependencies of packages that were user-installed. The modules in question were certifi (2023.5.7; affected by PYSEC-2023-135; fixed version available) and pycryptodomex (3.19.0; affected by PYSEC-2024-3; fixed version available).
pip audit
On an older, even "dirtier" F38 installation, pip audit found significantly more vulnerable modules; for example:
To me, this looks like a systematic problem of maintainers not updating python modules, and a lack of monitoring thereof.
Hi, this is basically the issue tracker for desktop-related issues. We don't have anything to do with the python stack.
Hi @churchyard, is there a better place to track this problem?
Use bugzilla. If you want an umbrella one, use the distribution component and treat a tracker bug that blocks the bugzillas for the individual packages.
Couple notes for packages I am involved with:
cryptography (41.0.3): GHSA-3ww4-gg4f-jr7f, GHSA-v8gr-m533-ghj9, GHSA-jfhm-5ghh-2f97 (newer versions with fixes available)
Probably fixed in https://bodhi.fedoraproject.org/updates/FEDORA-2024-91f5df4002
pip (23.2.1): PYSEC-2023-228 (newer version with fix available)
This is CVE-2023-5752. We never got a python-pip bugzilla from prodsec for this :( See https://bugzilla.redhat.com/show_bug.cgi?id=2250765#c6
certifi (2022.9.24): PYSEC-2022-42986, PYSEC-2023-135 (newer versions with fixes available)
Fedora's certifi is patched to use system certificates and hence not affected.
Use bugzilla.
Try this. :)
Metadata Update from @catanzaro: - Issue close_status updated to: Won't fix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.