Potential security vulnerabilities in the shared library which nix depends on. Can you help upgrade to patch versions? #80
Description
Hi, @sujithvm , @gicmo , I'd like to report a vulnerability issue in org.gnode:nix:1.0.
Issue Description
org.gnode:nix:1.0 directly or transitively depends on 16 C libraries (.so) in linux-x86_64. However, I noticed that one C libraries is vulnerable, containing the following CVEs:
libhdf5.so from C project hdf5(version:1.8.11) exposed 14 vulnerabilities:
CVE-2020-10811, CVE-2020-10812, CVE-2020-10810, CVE-2020-10809, CVE-2019-8396, CVE-2018-17437, CVE-2018-17432, CVE-2018-17433, CVE-2018-17434, CVE-2018-17438, CVE-2018-17436, CVE-2018-17233, CVE-2018-17234, CVE-2018-17237
Suggested Vulnerability Patch Versions
hdf5 has fixed the vulnerabilities in versions >=1.12.1
Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects.
Could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,