Hi, I understand the distributed nature of anaconda, but recently outstanding security holes (mysql, openssl) in anaconda are being flagged in Tenable and Crowdstrike. This has caught the attention of the Security group at my university. While we’d like to continue using anaconda, there are rumblings that it may be banned due to noncompliance. Will anaconda ever be in a position to ensure these holes be plugged in a timely manner?
Note that these holes have been flagged in security scanners for months…and we’re required to remediate within 30 days.
If not, will we ever be able to remove modules (like mysql and openssl) and not have other packages get downgraded (thus exposing more security holes)?
I see.
I am trying to find out what version of Anaconda Distribution/Installer you are using and the versions/build of the packages in question. Can you grab some screenshots maybe?
Hello, following this thread. It appears there has been no progress to correct this. At our higher ED institution, we are now beginning to implement the removal of Anaconda instances across all OS platforms. We’ve been battling the MySQL vulnerabilities for well over a year now.
This much older version always installs. Removal downgrades Anaconda and/or other packages. Updating reinstalls MySQL.
And the vulnerabilities exist in every user’s home directory and every environment they create. Changing the default channels to something like conda-forge is a temporary fix. Eventually when a new user comes along, we’re back to square one.
It seems like Anaconda is the only flavor our large population knows, but we’re having to enforce removal of Anaconda in lieu of something that keeps packages constantly updated and not flagged by the Security Office.
