[Solved] Yubikey manager: not displayed as insecure with an embedded insecure python and lower version recommended
See picture below:
@gregalexandre OK, then I mark this issue as solved.
@olli_s : you can close as lower version of Yubikey is no more recommended.
@gregalexandre Tell me, if this can be closed. Thank you!
Yubikey manager may not be affected by the vulnerability of Python. But it may allow wrong usage of the version of Python they install.
Yes, the problem is the same with java, where you can have multiple unsafe versions of java installed and not updated by multiple products.
During an attack, the attacker may choose to use the vulnerable (embedded) product to run malicious actions (eg; the one that allow it to increase it rights).
I do not look at the python vulnerability. It may be acceptable. But this not coherent with defense-in-depth.
I understand your point of view even if I cannot agree.
@gregalexandre I don't know how Python is utilized by Yubikey Manager, so it is hard to assess if it is affected by the vulnerability in Python.
Unless Yubikey (or some independent researcher) makes any statements that indicate Yubikey Manager to be affected, then we will not flag it as being affected.
For some "libraries" it is dead obvious whether the "parent" product is affected (or not) by a vulnerability, but in a case like this, it is dependent upon their specific implementation of Python (and I have no knowledge about how they use it). The same goes for many applications that utilize Java.
Given the latest vuln that was fixed in Python, I wouldn't worry much though.