National Vulnerability database issues

Allan_Baker · April 24, 2022, 11:29am

My Company uses an automated FOSS scanner that appears to track the national vulnerability database. I’ll have to dig around for more details. It complains about Julia’s full dependency packages found on julialang.org for things like gZip and others being vulnerable to exploitation. Is there a place where we can address these issues to make using Julia as free and open software an easier prospect?

Allan_Baker · April 24, 2022, 11:30am

https://nvd.nist.gov/

goerch · April 24, 2022, 1:27pm

I searched there and didn’t find any CVE for 1.6.4 (the latest LTS version analyzed?).

Edit: vaguely related.

Another edit: do you have a recommendation how we can check this ourselves?

giordano · April 24, 2022, 2:15pm

I’m not aware of the fact julia itself uses gZip (which I presume is https://www.gnu.org/software/gzip/). Third-party packages may do.

Allan_Baker · April 24, 2022, 4:13pm

My bad. It wasn’t gzip. It was 7-zip.
CVE-2008-6536 was the first one
Cve-2016-2334 7zip
Cve-2021-44732 - Mbed TLS
Several more 7-zip

Cve-2019-17498 formlibssh2

Some for curl and the list continues.
My scan was for Julia 1.7.2 with the dependencies

When I just did Julia without dependencies for 1.7.1 there were no issues.

This is a new area for me. Didn’t know if there was some way the release team could run these scans and weed out some of these issues instead of leaving it to the end user to really have no idea what to do.

Allan

Sukera · April 24, 2022, 7:08pm

Regarding 7zip, at least the recent version found on the master branch seems to download 16.02, which seems to be the most recent version. Libssh2 on master is using version 1.10, meaning it’s not vulnerable anymore to the specific CVE you posted (will have to check for LTS).

Do you have a link to the NVD NIST entry you’re referring to? How did you perform that scan?

Usually, if a patch is required, opening an issue on the repo (GitHub - JuliaLang/julia: The Julia Programming Language) will lead to the patch to be applied for the next version.

Allan_Baker · April 26, 2022, 3:49pm

It looks like there is a patch directory:
…\Downloads\julia-1.7.2-full (1).tar.gz\julia-1.7.2-full (1).tar\julia-1.7.2\deps\patches\

Does this mean that these changes are applied to the dependencies possibly mitigating some of the security concerns in CVE?