Known vulnerabilities in the C library which ecell4-base depends on.Can you help upgrade to patch versions? #495
Description
Hi, @kaizu , @ToruNiina , I'd like to report a vulnerability issue in ecell4-base_2.1.0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, ecell4-base_2.1.0 directly or transitively depends on 4 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libhdf5-80963a0e.so.103.1.0 and libhdf5_cpp-e9bd8d6d.so.103.1.0 from C project hdf5(version:<=1.10.6) exposed 4 vulnerabilities:
CVE-2020-10811, CVE-2020-10812, CVE-2020-10810, CVE-2020-10809
Suggested Vulnerability Patch Versions
hdf5 has fixed the vulnerabilities in versions >=1.12.1
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (ecell4-base has 2,738 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Andy