apitools uses the archived dependency https://github.com/googleapis/oauth2client
oauth2client vendors pycrypto 2.6, which is an unmaintained project and contains CVE-2018-6594 (note, 2.6 was published on May 24, 2012). oauth2client will not receive upstream security fixes.
Is apitools transitively affected by CVE-2018-6594? Could apitools deprecate use of oauth2client?
apitools uses the archived dependency https://github.com/googleapis/oauth2client
oauth2client vendors pycrypto 2.6, which is an unmaintained project and contains CVE-2018-6594 (note, 2.6 was published on May 24, 2012). oauth2client will not receive upstream security fixes.
Is apitools transitively affected by CVE-2018-6594? Could apitools deprecate use of oauth2client?