<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Bright";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}
p.signature365-dc9b8kja, li.signature365-dc9b8kja, div.signature365-dc9b8kja
{mso-style-name:signature365-dc9b8kja;
mso-style-priority:99;
margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
color:black;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
p.signature365-3q9pg9mb, li.signature365-3q9pg9mb, div.signature365-3q9pg9mb
{mso-style-name:signature365-3q9pg9mb;
mso-style-priority:99;
margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#467886" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Regis,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you for your email.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please find attached the html report for the vulnerability. Within you can find all the details.<o:p></o:p></p>
<p class="MsoNormal">I am aware that the vulnerability scanner is likely to pick up false positives, this is why I would like to check with you whether this is the case or if the application is actually vulnerable.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you for your help.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Kind regards,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:0cm 0cm 0cm 0cm">
<div id="signature-365-signature">
<div>
<p class="signature365-3q9pg9mb"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><br>
</span><a href="https://www.brydenwood.co.uk/"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:blue;text-decoration:none"><img border="0" width="37" height="37" style="width:.3854in;height:.3854in" id="_x0000_i1071" src="cid:image001.png@01DB6D76.FE445060"></span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><br>
</span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br>
</span><span style="font-family:"Lucida Bright",serif;color:white;background:black">Matteo Cassio</span><span style="font-size:11.0pt;font-family:"Lucida Bright",serif;color:white;background:black"><br>
</span><span style="font-size:9.0pt;font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br>
</span><span style="font-size:9.0pt;font-family:"Arial",sans-serif">Senior IT Systems Engineer<br>
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br>
</span><span style="font-size:9.0pt;font-family:"Arial",sans-serif">MCassio@brydenwood.co.uk<br>
+44 (0)20 7253 4772<br>
101 Euston Road<br>
London<br>
NW1 2RA<br>
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="signature365-3q9pg9mb" style="margin-bottom:12.0pt"><a href="https://www.brydenwood.co.uk/"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:blue;text-decoration:none"><img border="0" width="159" height="26" style="width:1.6562in;height:.2708in" id="_x0000_i1070" src="cid:image002.png@01DB6D76.FE445060"></span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="signature365-3q9pg9mb" style="margin-bottom:12.0pt"><a href="https://www.brydenwood.co.uk/"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="250" height="83" style="width:2.6041in;height:.8645in" id="_x0000_i1069" src="cid:image003.jpg@01DB6D76.FE445060"></span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><br>
<br>
</span><a href="https://www.linkedin.com/company/brydenwoodtechnology/"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1068" src="cid:image004.png@01DB6D76.FE445060"></span></a><a href="https://twitter.com/BrydenWood"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1067" src="cid:image005.png@01DB6D76.FE445060"></span></a><a href="https://www.youtube.com/c/BrydenWoodTech"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1066" src="cid:image006.png@01DB6D76.FE445060"></span></a><a href="https://www.instagram.com/brydenwoodtech/"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1065" src="cid:image007.png@01DB6D76.FE445060"></span></a><a href="https://www.facebook.com/brydenwoodtech/"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1064" src="cid:image008.png@01DB6D76.FE445060"></span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<div class="signature365-3q9pg9mb" align="center" style="text-align:center"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<hr size="6" width="100%" noshade="" style="color:black" align="center">
</span></div>
<p class="signature365-3q9pg9mb"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">Registered Company Address<br>
Plurenden Manor Farm,<br>
Plurenden Lane,<br>
High Halden,<br>
Kent, TN26 3JW<br>
<br>
Bryden Wood<br>
Technology Limited<br>
Registered Company<br>
No 05750083<br>
VAT Registered 876 8921 58<o:p></o:p></span></p>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm;font-size:pt">
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB">From:</span></b><span style="font-size:12.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none;mso-fareast-language:EN-GB">
QGIS-User <qgis-user-bounces@lists.osgeo.org> <b>On Behalf Of </b>Régis Haubourg via QGIS-User<br>
<b>Sent:</b> 22 January 2025 15:12<br>
<b>To:</b> qgis-user@lists.osgeo.org<br>
<b>Subject:</b> Re: [Qgis-user] QGIS 3.40.2 - suspected vulnerability in Python libraries<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi Matteo, <o:p></o:p></p>
<p>thanks for raising this. <o:p></o:p></p>
<p>As for dependencies vulnerabilities, this depends on the packaging system you use to install QGIS. If you are using the windows installer, can you please open an issue at
<a href="https://trac.osgeo.org/osgeo4w">
https://trac.osgeo.org/osgeo4w</a>. This requires an osgeo login, that you can obtain at
<a href="https://www.osgeo.org/community/getting-started-osgeo/osgeo_userid/">
https://www.osgeo.org/community/getting-started-osgeo/osgeo_userid/</a> <o:p></o:p></p>
<p>If you suspect this is related to QGIS core, or this is a critical vulnerability, you can join the security team privately at
<a href="mailto:security@qgis.org">security@qgis.org</a>, so that we fix and deploy corrective action before a public disclosure, which is the recommended workflow.
<o:p></o:p></p>
<p>When raising a report from scanner, we will need more details about the exact versions spotted by the scanner, the vulnerability id (aka CVE number) and a copy of the full report.
<o:p></o:p></p>
<p>Take also a close look at the vulnerability score, if above 7 or 8, this becomes urgent. If below, you can just raise us the issue and maybe wait for upgrades to be delivered in the normal workflow.
<o:p></o:p></p>
<p>Finally, keep a critical approach on security. While QGIS server can be exposed on a web server and be very sensitive, but is rarely using windows packaging, QGIS desktop is not supposed to be exposed on the web. <o:p></o:p></p>
<p>Python ecosystem is full of such vulnerabilities does not make much sense when you are on a desktop software with python scripting capabilities, with basically the ability to wipe or encrypt your disk. We will take care of the packaging, but we need to prioritize
urgency too critical issues. <o:p></o:p></p>
<p>Thanks again for your help here. We are flooded by vulnerability report, and we need to learn how to deal with this as a community. Work is planned on this front to handle this, but every GIS and IT admin will also have to learn this whole security stuff.
<o:p></o:p></p>
<p>Cheers <o:p></o:p></p>
<p>Régis<o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 22/01/2025 13:31, Matteo Cassio via QGIS-User wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Dear QGIS team,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I hope this email finds you well.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Our vulnerability scan detected a vulnerability in the Python libraries in QGIS
<a href="http://3.4.0.2">
3.4.0.2</a>.<o:p></o:p></p>
<p class="MsoNormal">The report states:<o:p></o:p></p>
<p class="MsoNormal">“The version of the Pandas library installed on the remote host has an unpatched exposure. It is, therefore, affected by a code injection vulnerability in the pandas.DataFrame.query function. The function is intended to allow querying the
columns of a DataFrame using a boolean expression. A malicious attacker can constructs a malicious query to bypass input validation mechanisms and trigger a code injection vulnerability which can lead to command execution if the code passes untrusted input
into self.eval().”<o:p></o:p></p>
<p class="MsoNormal"><br>
The library is stored in this directory: <a href="file:///C:/Program">C:\Program</a> Files\QGIS 3.40.2\apps\Python312\Lib.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Could you please advice as to whether this is a false positive or a known issue?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thank you.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Kind regards,<o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:0cm 0cm 0cm 0cm">
<div id="signature-365-signature">
<div>
<p class="signature365-dc9b8kja"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><br>
</span><a href="https://www.brydenwood.co.uk/"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:blue;text-decoration:none"><img border="0" width="37" height="37" style="width:.3854in;height:.3854in" id="Picture_x0020_8" src="cid:image001.png@01DB6D76.FE445060"></span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><br>
</span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br>
</span><span style="font-family:"Lucida Bright",serif;color:white;background:black">Matteo Cassio</span><span style="font-size:11.0pt;font-family:"Lucida Bright",serif;color:white;background:black"><br>
</span><span style="font-size:9.0pt;font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br>
</span><span style="font-size:9.0pt;font-family:"Arial",sans-serif">Senior IT Systems Engineer<br>
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br>
</span><a href="mailto:MCassio@brydenwood.co.uk"><span style="font-size:9.0pt;font-family:"Arial",sans-serif">MCassio@brydenwood.co.uk</span></a><span style="font-size:9.0pt;font-family:"Arial",sans-serif"><br>
+44 (0)20 7253 4772<br>
101 Euston Road<br>
London<br>
NW1 2RA<br>
</span><o:p></o:p></p>
<p class="signature365-dc9b8kja" style="margin-bottom:12.0pt"><a href="https://www.brydenwood.co.uk/"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:blue;text-decoration:none"><img border="0" width="159" height="26" style="width:1.6562in;height:.2708in" id="Picture_x0020_7" src="cid:image002.png@01DB6D76.FE445060"></span></a><o:p></o:p></p>
<p class="signature365-dc9b8kja" style="margin-bottom:12.0pt"><a href="https://www.brydenwood.co.uk/"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="250" height="83" style="width:2.6041in;height:.8645in" id="Picture_x0020_6" src="cid:image003.jpg@01DB6D76.FE445060"></span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><br>
<br>
</span><a href="https://www.linkedin.com/company/brydenwoodtechnology/"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_5" src="cid:image004.png@01DB6D76.FE445060"></span></a><a href="https://twitter.com/BrydenWood"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_4" src="cid:image005.png@01DB6D76.FE445060"></span></a><a href="https://www.youtube.com/c/BrydenWoodTech"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_3" src="cid:image006.png@01DB6D76.FE445060"></span></a><a href="https://www.instagram.com/brydenwoodtech/"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_2" src="cid:image007.png@01DB6D76.FE445060"></span></a><a href="https://www.facebook.com/brydenwoodtech/"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_1" src="cid:image008.png@01DB6D76.FE445060"></span></a><o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-family:"Calibri",sans-serif;color:black;mso-ligatures:none;mso-fareast-language:EN-GB">
<hr size="6" width="100%" noshade="" style="color:black" align="center">
</span></div>
<p class="signature365-dc9b8kja"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">Registered Company Address<br>
Plurenden Manor Farm,<br>
Plurenden Lane,<br>
High Halden,<br>
Kent, TN26 3JW<br>
<br>
Bryden Wood<br>
Technology Limited<br>
Registered Company<br>
No 05750083<br>
VAT Registered 876 8921 58</span><o:p></o:p></p>
</div>
</div>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;mso-ligatures:none;mso-fareast-language:EN-GB"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>QGIS-User mailing list<o:p></o:p></pre>
<pre><a href="mailto:QGIS-User@lists.osgeo.org">QGIS-User@lists.osgeo.org</a><o:p></o:p></pre>
<pre>List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-user">https://lists.osgeo.org/mailman/listinfo/qgis-user</a><o:p></o:p></pre>
<pre>Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-user">https://lists.osgeo.org/mailman/listinfo/qgis-user</a><o:p></o:p></pre>
</blockquote>
</div>
</body>
</html>