<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Matteo, <br>
</p>
<p>thanks for raising this. <br>
</p>
<p>As for dependencies vulnerabilities, this depends on the
packaging system you use to install QGIS. If you are using the
windows installer, can you please open an issue at
<a class="moz-txt-link-freetext" href="https://trac.osgeo.org/osgeo4w">https://trac.osgeo.org/osgeo4w</a>. This requires an osgeo login, that
you can obtain at
<a class="moz-txt-link-freetext" href="https://www.osgeo.org/community/getting-started-osgeo/osgeo_userid/">https://www.osgeo.org/community/getting-started-osgeo/osgeo_userid/</a>
<br>
</p>
<p>If you suspect this is related to QGIS core, or this is a
critical vulnerability, you can join the security team privately
at <a class="moz-txt-link-abbreviated" href="mailto:security@qgis.org">security@qgis.org</a>, so that we fix and deploy corrective action
before a public disclosure, which is the recommended workflow. <br>
</p>
<p>When raising a report from scanner, we will need more details
about the exact versions spotted by the scanner, the vulnerability
id (aka CVE number) and a copy of the full report. <br>
</p>
<p>Take also a close look at the vulnerability score, if above 7 or
8, this becomes urgent. If below, you can just raise us the issue
and maybe wait for upgrades to be delivered in the normal
workflow. <br>
</p>
<p>Finally, keep a critical approach on security. While QGIS server
can be exposed on a web server and be very sensitive, but is
rarely using windows packaging, QGIS desktop is not supposed to be
exposed on the web. </p>
<p>Python ecosystem is full of such vulnerabilities does not make
much sense when you are on a desktop software with python
scripting capabilities, with basically the ability to wipe or
encrypt your disk. We will take care of the packaging, but we need
to prioritize urgency too critical issues. <br>
</p>
<p>Thanks again for your help here. We are flooded by vulnerability
report, and we need to learn how to deal with this as a community.
Work is planned on this front to handle this, but every GIS and IT
admin will also have to learn this whole security stuff. <br>
</p>
<p>Cheers </p>
<p>Régis</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 22/01/2025 13:31, Matteo Cassio via
QGIS-User wrote:<br>
</div>
<blockquote type="cite"
cite="mid:AS2P191MB2375574C92B9F5C39252E78294E12@AS2P191MB2375.EURP191.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Aptos;}@font-face
{font-family:"Lucida Bright";}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}p.signature365-dc9b8kja, li.signature365-dc9b8kja, div.signature365-dc9b8kja
{mso-style-name:signature365-dc9b8kja;
mso-style-priority:99;
margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
color:black;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Dear QGIS team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I hope this email finds you well.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Our vulnerability scan detected a
vulnerability in the Python libraries in QGIS
<a href="http://3.4.0.2" moz-do-not-send="true">
3.4.0.2</a>.<o:p></o:p></p>
<p class="MsoNormal">The report states:<o:p></o:p></p>
<p class="MsoNormal">“The version of the Pandas library
installed on the remote host has an unpatched exposure. It is,
therefore, affected by a code injection vulnerability in the
pandas.DataFrame.query function. The function is intended to
allow querying the columns of a DataFrame using a boolean
expression. A malicious attacker can constructs a malicious
query to bypass input validation mechanisms and trigger a code
injection vulnerability which can lead to command execution if
the code passes untrusted input into self.eval().”<o:p></o:p></p>
<p class="MsoNormal"><br>
The library is stored in this directory: <a class="moz-txt-link-freetext" href="C:\Program">C:\Program</a> Files\QGIS
3.40.2\apps\Python312\Lib.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Could you please advice as to whether this
is a false positive or a known issue?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Kind regards,<o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0"
cellpadding="0">
<tbody>
<tr>
<td style="padding:0cm 0cm 0cm 0cm">
<div id="signature-365-signature">
<div>
<p class="signature365-dc9b8kja"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><span
style="font-size:11.0pt;font-family:"Arial",sans-serif"><br>
</span><a href="https://www.brydenwood.co.uk/"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:blue;text-decoration:none"><img
border="0" width="37" height="37"
style="width:.3854in;height:.3854in"
id="Picture_x0020_8"
src="cid:part1.Tfi5UmvC.jLIs9WJ3@gmail.com"
class=""></span></a><span
style="font-size:11.0pt;font-family:"Arial",sans-serif"><br>
</span><span
style="font-size:8.0pt;font-family:"Calibri",sans-serif"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br>
</span><span
style="font-family:"Lucida Bright",serif;color:white;background:black">Matteo
Cassio</span><span
style="font-size:11.0pt;font-family:"Lucida Bright",serif;color:white;background:black"><br>
</span><span
style="font-size:9.0pt;font-family:"Arial",sans-serif"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br>
</span><span
style="font-size:9.0pt;font-family:"Arial",sans-serif">Senior
IT Systems Engineer<br>
</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br>
</span><span
style="font-size:9.0pt;font-family:"Arial",sans-serif"><a
href="mailto:MCassio@brydenwood.co.uk"
moz-do-not-send="true"
class="moz-txt-link-freetext">MCassio@brydenwood.co.uk</a><br>
+44 (0)20 7253 4772<br>
101 Euston Road<br>
London<br>
NW1 2RA<br>
</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="signature365-dc9b8kja"
style="margin-bottom:12.0pt"><a
href="https://www.brydenwood.co.uk/"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:blue;text-decoration:none"><img
border="0" width="159" height="26"
style="width:1.6562in;height:.2708in"
id="Picture_x0020_7"
src="cid:part2.kcciwXsq.fsmLDRPE@gmail.com"
class=""></span></a><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="signature365-dc9b8kja"
style="margin-bottom:12.0pt"><a
href="https://www.brydenwood.co.uk/"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img
border="0" width="250" height="83"
style="width:2.6041in;height:.8645in"
id="Picture_x0020_6"
src="cid:part3.ZoOO0qp0.K1ewBn1E@gmail.com"
class=""></span></a><span
style="font-size:11.0pt;font-family:"Arial",sans-serif"><br>
<br>
</span><a
href="https://www.linkedin.com/company/brydenwoodtechnology/"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img
border="0" width="32" height="32"
style="width:.3333in;height:.3333in"
id="Picture_x0020_5"
src="cid:part4.hHJsepLf.ff1mazbP@gmail.com"
class=""></span></a><a
href="https://twitter.com/BrydenWood"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img
border="0" width="32" height="32"
style="width:.3333in;height:.3333in"
id="Picture_x0020_4"
src="cid:part5.wI5BV0Y3.ZrEnu1TH@gmail.com"
class=""></span></a><a
href="https://www.youtube.com/c/BrydenWoodTech"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img
border="0" width="32" height="32"
style="width:.3333in;height:.3333in"
id="Picture_x0020_3"
src="cid:part6.eeAb26HZ.P09z2dqj@gmail.com"
class=""></span></a><a
href="https://www.instagram.com/brydenwoodtech/"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img
border="0" width="32" height="32"
style="width:.3333in;height:.3333in"
id="Picture_x0020_2"
src="cid:part7.Fu0BaQt4.M6Ax7pQI@gmail.com"
class=""></span></a><a
href="https://www.facebook.com/brydenwoodtech/"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img
border="0" width="32" height="32"
style="width:.3333in;height:.3333in"
id="Picture_x0020_1"
src="cid:part8.EuZteayr.lURGjYXH@gmail.com"
class=""></span></a><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<div class="MsoNormal" align="center"
style="text-align:center"><span
style="font-family:"Calibri",sans-serif;color:black;mso-ligatures:none;mso-fareast-language:EN-GB">
<hr size="6" width="100%" noshade="noshade"
style="color:black" align="center">
</span></div>
<p class="signature365-dc9b8kja"><span
style="font-size:8.0pt;font-family:"Arial",sans-serif">Registered
Company Address<br>
Plurenden Manor Farm,<br>
Plurenden Lane,<br>
High Halden,<br>
Kent, TN26 3JW<br>
<br>
Bryden Wood<br>
Technology Limited<br>
Registered Company<br>
No 05750083<br>
VAT Registered 876 8921 58<o:p></o:p></span></p>
</div>
</div>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
QGIS-User mailing list
<a class="moz-txt-link-abbreviated" href="mailto:QGIS-User@lists.osgeo.org">QGIS-User@lists.osgeo.org</a>
List info: <a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/qgis-user">https://lists.osgeo.org/mailman/listinfo/qgis-user</a>
Unsubscribe: <a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/qgis-user">https://lists.osgeo.org/mailman/listinfo/qgis-user</a>
</pre>
</blockquote>
<div id="grammalecte_menu_main_button_shadow_host"
style="width: 0px; height: 0px;"></div>
</body>
</html>