Skip to content
This repository has been archived by the owner on Apr 17, 2024. It is now read-only.

tink 1.7.0 depends on protobuf 3.20.1 which has a security vulnerability patched in a newer version #708

Closed
darkvertex opened this issue Jul 25, 2023 · 4 comments
Closed

tink 1.7.0 depends on protobuf 3.20.1 which has a security vulnerability patched in a newer version #708

darkvertex opened this issue Jul 25, 2023 · 4 comments
Assignees
@morambro

Comments

@darkvertex
Copy link

darkvertex commented Jul 25, 2023
edited
Loading

tink 1.7.0 for Python depends on protobuf 3.20.1, which has an alleged security vulnerability as per this report from OSV:
https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf

We can see the requirement here: https://github.com/google/tink/blob/1.7/python/requirements.txt

As per the report:

Please update to the latest available versions of the following packages:

  • protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6)
  • protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)

Can you guys update tink to at least use protobuf 3.20.2?
@morambro morambro self-assigned this Jul 26, 2023
@morambro
Copy link
Contributor

Hi @darkvertex since a6b2384 Tink requires protobuf>=4.21.9. This will be included in the next release.

@nchepanov
Copy link

Hi @morambro could you please link to the release schedule? I couldn't find any information on when the next (presumably) 1.8.0 release is planned.

@morambro
Copy link
Contributor

We are migrating each library to its own repository. The migration of each library coincides with the next release, which for Tink Python should be complete in Q3/23 (https://github.com/google/tink#tink).

@morambro
Copy link
Contributor

1.8.0 is out (notes, pypi), which includes a fix for this issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@morambro morambro

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@darkvertex @nchepanov @morambro