Reputation: 1
How to update pycryptodomex?
I have 3 AWS EC2 instances running Ubuntu 22.04.4 LTS, and AWS Inspector is complaining that I have an issue with CVE-2023-52323 - pycryptodomex. I have nothing to upgrade:
ubuntu@ip-XX-XX-XX-XX:~$ apt list --upgradeable Listing... Done
I tried to install it using the command in the documentation:
ubuntu@ip-XX-XX-XX-XX:~$ pip3 install pycryptodomex Defaulting to user installation because normal site packages is not writeable Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (3.11.0) ubuntu@ip-XX-XX-XX-XX:~$
But as you can see, it does not update, and I cannot update as root also:
ubuntu@ip-XX-XX-XX-XX:~$ sudo pip3 install pycryptodomex Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (3.11.0) WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv ubuntu@ip-XX-XX-XX-XX:~$
So, how am I supposed to update this package?
Upvotes: 0
Views: 117
Answers (1)
Reputation: 149135
Short answer: you cannot and are not supposed to do it.
This is a well know issue with distribs, and specially with LTS ones. The major products are regularly updated in the distrib, and you do not have to worry for them, the distrib does care for that. But less used libraries like pycrytodromex may stay several versions behind. The reason is that maintaining a package in a distrib requires to care for any of its dependances and any other product in the distrib depending on it. At each and every upgrade, all those dependencies must be controlled, and an update can be blocked by one of them. Or the maintainer may no longer have enough time for that, because most of the time, they are volunteers maintaining the package on their free time.
Said differently if you are using the Python installation of the distrib, the site library is expected to be managed through the distrib.
You could of course ignore the rule and use pip install --upgrade as root to force the update, but doing so could break a number of dependencies that the distrib guarantees.
The blessed way would be to create a virtual environment (a Python venv) where you would install the updated version, and have all your applications needing the library use that venv. Optionaly you could even remove the vulnerable package through the distrib to make sure that an attacker cannot use it. But that could involve installing the concerned application by hand and no longer through the distrib.
Longer answer made short: there is no simple way. There will be a balance between what the distrib can do for you (and you really should use that for every product that is up to date enough, including its dependencies), and the complexity of installing some products by hand, with full control on the updates and dependencies. Because that freedom comes at a cost: you are now in charge of controlling the published vulnerabilities and upgrading each installation by hand.
Upvotes: 0
Related Questions
- How to find the index for a given item in a list?
- How do I make a flat list out of a list of lists?
- How to use a global variable in a function?
- How slicing in Python works
- How do I check whether a file exists without exceptions?
- How do I merge two dictionaries in a single expression in Python?
- How to access the index value in a 'for' loop?
- How do I execute a program or call a system command?
- How to catch multiple exceptions in one line? (in the "except" block)
- How do I create a directory, and any missing parent directories?