When installing python 3.11.9 on Windows, Defender is complaining about vulnerable files
libcrypt dll 3.0.13
Updating to version 3.11.9 fixed some issues by updaing to openssl version 3.0.13.
But 3.0.13 still has vulnerabilities
Any Idea if this will be fixed or how I can fix it?
Thanks and I’m grateful for any help
Is the vulnerability you are concerned about in libcrypt or in openssl? If the former, Python 3.11+ does not link against libcrypt [1].
In any case, Python 3.9.11 was released in March of 2022 while CVE-2024-2511 was discovered in April of 2024. It is not possible to include security fixes for future vulnerabilities. If you are concerned by vulnerabilities, make sure to keep your software up to date.
@abessman Sorry my mistake. We are currently installing Python 3.11.9, but Defender is flagging vulnerabilities in the following files:
I’ve installed python version 3.12.5 and defender detects the same vulnerable files
CVE-2024-2511
Previously, the version of OpenSSL used in Python binaries has been updated quite promptly after a new OpenSSL release:
OpenSSL 3.0.10: Released 2023-08-01, Python updated on 2023-09-05.
OpenSSL 3.0.11: Released 2023-09-19, Python updated on 2023-09-29
OpenSSL 3.0.12: Released 2023-10-24, never made it into Python
OpenSSL 3.0.13: Released 2024-01-30, Python updated on 2024-02-06
OpenSSL 3.0.14: Released 2024-06-04, not in Python yet.
I guess people have been on vacation and stuff over summer. I wouldn’t be surprised to see Python update to OpenSSL 3.0.14 soon, though there is no issue for it yet. You can open one yourself, if you wish.
However, new OpenSSL releases will almost certainly not be backported to Python 3.9. As far as I can tell from the changelogs, Python 3.9 is still using OpenSSL 1.1.1 (which is also affected by CVE-2024-2511).