Anaconda and Security Compliance?

Hi, I understand the distributed nature of anaconda, but recently outstanding security holes (mysql, openssl) in anaconda are being flagged in Tenable and Crowdstrike. This has caught the attention of the Security group at my university. While we’d like to continue using anaconda, there are rumblings that it may be banned due to noncompliance. Will anaconda ever be in a position to ensure these holes be plugged in a timely manner?

Note that these holes have been flagged in security scanners for months…and we’re required to remediate within 30 days.

If not, will we ever be able to remove modules (like mysql and openssl) and not have other packages get downgraded (thus exposing more security holes)?

Hi @sul! Thank you for reaching out.

To help we would need a bit more info.
Could you please run the conda list command and share the output here?

The list is too large to fit here…536 lines.

I see.
I am trying to find out what version of Anaconda Distribution/Installer you are using and the versions/build of the packages in question. Can you grab some screenshots maybe?

I’ve attached the file here. Hope this goes through.

(Attachment condalist.txt is missing)

mysql 5.7.24 h721c034_2 defaults

openssl 3.0.15 h5eee18b_0 defaults

This is after doing a conda update conda, and conda update all

Unfortunately, the file didn’t go through. But I shared the info about the package versions with the team and will get back to you!