Vulnerable shared libraries might make opencv-python vulnerable. Can you help upgrade to patch versions?

[andy201709]

Hi, @skvark , @native-api , I'd like to report a vulnerability issue in opencv-python_4.5.4.60.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), opencv-python_4.5.4.60 directly or transitively depends on 38 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libcrypto-018b8c17.so.1.1 and libssl-6082116c.so.1.1from C project openssl(version:1.1.1f) exposed 5 vulnerabilities:
CVE-2021-3711,CVE-2021-3712,CVE-2020-7043, CVE-2020-7042,CVE-2020-7041

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=1.1.1l

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (opencv-python has 5,082,007 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
Andy

[native-api]

I believe this has already been fixed in 0a17e6c

[asmorkalov]

Duplicate for:

• Please update the ffmpeg and gnutls versions used by libopencv #625
• opencv-python depends on vulnerable libpng15 #622
• There is a vulnerability in the library that Opencv-python depends on. #614
  The dependencies has been updated in OpenCV-Python 4.5.5.64 and 3.4.17.63 releases. Please update packages on your side.