Multiple CVE's reported for stock Python
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-pip (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
The SAC safety tool reports many open vulnerabilities for the various Python packages that come preinstalled on Ubuntu.
https:/
To run the tool, execute `safety check`. A few dozen CVE notices will appear.
Some of the vulnerabilities appear to arise from upstream Debian, which like Ubuntu, tends to be slow about patching these vulnerabilities.
Notably, stock Fedora appears to have zero Python vulnerabilities found in the safety CVE database.
Please update or remove the vulnerable packages from the base OS install, so that users can enjoy a more secure system by default. Additionally, the noise from a vulnerable base OS makes it harder for Python developers to determine which CVE's arise from their projects vs what the operating system gives them to work with.
CVE References
information type: | Private Security → Public Security |
Thanks for reporting this issue.
The safety tool is relying on versions of python modules to determine if something is vulnerable or not. Ubuntu, like most linux distros, backports security updates to existing versions.
Please look up each CVE reported by the safety tool using our web interface here and report back any that are not a false positive: https:/ /ubuntu. com/security/ cves
Thanks!