-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Vuln for dependency] Please release new .whl files by using newest curl #6900
Comments
Here are the spots that have to change if anybody wants to upgrade: This is for building from source: Open3D/3rdparty/curl/curl.cmake Lines 28 to 33 in f02e7d2
This also requires prebuilt curl to be uploaded in https://github.com/isl-org/open3d_downloads: Open3D/3rdparty/curl/curl.cmake Lines 64 to 76 in f02e7d2
Also the readme gotta change (which already seems out of date): Lines 119 to 123 in f02e7d2
Sorry, I currently have no time to test building with latest curl and I am not sure how to upload anython to https://github.com/isl-org/open3d_download, but I hope that helps if you would like to create a pull request yourself. |
Thanks @timohl for looking into this. I think this should be a quick / short PR. To upload to open3d_download, just upload the binary somewhere and make sure to add its SHA256 sum to the Open3D PR. Small files can be pllaced directly in the PR with a note and I'll move it to open3d_download, as long as the sha256sum matches. Labelling as "good first issue" for someone to pick this up. |
Checklist
main
branch).My Question
The release files are using curl 7.X, but these softwares have many vulnerabilities
(See https://curl.se/docs/vulnerabilities.html)
Could u release new .whl files for cp11 & cp10 by using curl 8.9.0 ( it's also kind to update a new tag)? Our customers claimed me the Open3D contains the vluns by dependenying old version of curl
The text was updated successfully, but these errors were encountered: