New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

https://pypi.org/project/kerberos/ contains known vulns and is abandoned #187

Open

dlangille opened this issue Apr 10, 2024 · 1 comment

dlangille commented Apr 10, 2024

Hello,

From what I've seen https://pypi.org/project/kerberos/ contains known vulns[1] and is abandoned[2].

Given that situation, is there something else we can use for the requirements of requests-kerberos?

[1] - https://osv.dev/vulnerability/PYSEC-2017-49
[2]- "This repository has been archived by the owner on Feb 24, 2024. It is now read-only." https://github.com/apple/ccs-pykerberos

The text was updated successfully, but these errors were encountered:

Contributor

jborean93 commented Apr 10, 2024

There are a few things to address here

This library never called checkPassword so that CVE doesn't apply here
5dfe4b0 changed the dep so it's no longer using kerberos/pykerberos
requests-gssapi was originally designed as a replacement to this library with a new dependency as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment