Skip to content

Bug: genie.libs.sdk pins vulnerable pyasn1==0.6.0 #292

Description

@pc3o

Summary

genie.libs.sdk directly pins pyasn1==0.6.0, which is affected by published denial-of-service CVEs.

The issue still appears present in the current genie.libs.sdk release: the middle SNMP dependency has been updated, but the direct pyasn1==0.6.0 pin remains.

Dependency path

application requirements
└── pyats[full]
    └── genie
        └── genie.libs.sdk
            └── pyasn1==0.6.0

Notes

This does not appear to be caused by pysnmp pinning pyasn1==0.6.0.

Observed package metadata:

genie.libs.sdk==26.3:
  pysnmp<6.2,>=6.1.4
  pyasn1==0.6.0

genie.libs.sdk==26.6:
  pysnmp==7.1.22
  pyasn1==0.6.0

pysnmp==6.1.4:
  pyasn1!=0.5.0,>=0.4.8

pysnmp==7.1.22:
  pyasn1!=0.5.0,>=0.4.8

Security issue

pyasn1==0.6.0 is below the patched versions for known DoS vulnerabilities in ASN.1 decoding.

CVE-2026-23490: fixed in pyasn1 0.6.2
CVE-2026-30922: fixed in pyasn1 0.6.3
CVE-2026-59885: fixed in pyasn1 0.6.4

Minimum safe target:

pyasn1>=0.6.4

Recommended fix

Update genie.libs.sdk package metadata to remove the exact pyasn1==0.6.0 pin and allow a patched version, preferably:

pyasn1>=0.6.4

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions