Several vulnerabilities in the C library which pytraj depends on. Could you help upgrade to patch versions?

[JoeGardner000]

Hi, @hainm , @swails , I'd like to report a vulnerability issue in pytraj_2.0.5.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), pytraj_2.0.5 directly or transitively depends on 35 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libidn-b9d21c09.so.11.5.19from C project libidn(version:1.28) exposed 3 vulnerabilities:
CVE-2015-8948, CVE-2016-6261, CVE-2016-6262

Suggested Vulnerability Patch Versions

libidn has fixed the vulnerabilities in versions >=1.33

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (pytraj has 5,580 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
Joe Gardner

[hainm]

I have no idea what you are talking about and your account is quite new. So I close this issue.

[swails]

CVEs are tracked vulnerabilities in commonly used software. Three of them affect shared libraries that pytraj currently links to/brings in (@JoeGardner000 I assume this is conda-forge? PyPI? What repository are you talking about?).

It would be best to rebuild the binary pytraj distribution to link to newer versions of the libraries (should just require minting a new build of pytraj and libcpptraj within conda).

[JoeGardner000]

@swails , thanks for your help.

I assume this is conda-forge? PyPI? What repository are you talking about?).

I download pytraj from PyPI repository.

Best regards,
Joe Gardner