Re: Vulnerabilities on python packages
Based on the information provided, it appears that the recent mysql-shell release for Linux does contain versions of the cryptography and setuptools Python packages that contain known vulnerabilities. Specifically:
The cryptography package versions included contain vulnerabilities CVE-2023-0286, CVE-2023-23931, and GHSA-5cpq-8wj7-hf2v. These allow for denial of service, information leaks, and other impacts if exploited.
The setuptools package version contains vulnerability CVE-2022-40897 which could allow arbitrary code execution if exploited.
Since mysql-shell relies on and bundles these specific Python package versions, it likely is affected by these vulnerabilities. Ideally, mysql-shell should update the bundled cryptography and setuptools packages to newer versions that contain fixes for these CVEs.
However, since these packages seem to be considered fixed requirements for the current release, mysql-shell may be limited in its ability to update them until a new version is released. As a workaround, users could potentially install newer versions of the Python packages separately on systems running mysql-shell, but that has tradeoffs as well.
Subject
Views
Written By
Posted
539
June 06, 2023 08:24AM
281
June 06, 2023 08:53PM
291
August 31, 2023 03:46AM
214
November 03, 2023 05:08AM
208
January 26, 2024 09:20AM
Re: Vulnerabilities on python packages
328
September 08, 2023 07:29AM
Sorry, only registered users may post in this forum.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.