A 15-yr old vulnerability in Python’s tarfile modules could potentially put 350,000 open source projects at risk.
The recent report by Trellix detailing the presence of a 15-year old unpatched path traversal vulnerability(CVE-2007-4559) in Python’s tarfile module, a library used to read and write tape archive (tar) files, potentially exposes over 350,000 open source repositories that utilise it within their projects. This is a reminder of the challenges faced with incorporating open source code into software projects, especially those used within enterprise environments.
While we are nearly a year into the fallout from the discovery of Log4Shell in the Log4j library, researchers continue to identify weaknesses across the supply chain, which underscores the continued need for more resources to assist in identifying and addressing vulnerabilities across some of the most common libraries and software used by organisations today.
Initiatives like Supply chain Levels for Software Artifacts (SLSA) and Software Bill of Materials (SBOM) and projects such as Alpha-Omega under the Open Source Security Foundation are designed to bridge the security gap within the open source community, as many of the developers are often unpaid contributors who volunteer their time. There’s no single solution to address the issue of software supply chain security, but the proposals above present an opportunity to help make a meaningful difference. Reports like this one certainly won’t be the last, which is why the pursuit of the initiatives above is extremely critical.
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
LockBit often targets insiders as a way of hacking systems.…
The Financial system has a terrible number of interdependencies, and…
Notorious Russian cybergang Killnet has claimed responsibility for a cyberattack…
As Marc Andreessen said over a decade ago, "software is…
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics