Security vulnerability - CVE-2023-38325
bnaganathan opened this issue · 3 comments
OCI is pulling cryptography (version 40.0.2) as one of its dependencies.
bash-4.2# pip3 show oci
Name: oci
Version: 2.110.1
Summary: Oracle Cloud Infrastructure Python SDK
Home-page: https://docs.oracle.com/en-us/iaas/tools/python/latest/index.html
Author: Oracle
Author-email: joe.levy@oracle.com
License: Universal Permissive License 1.0 or Apache License 2.0
Location: /usr/local/lib/python3.6/site-packages
Requires: certifi, circuitbreaker, cryptography, pyOpenSSL, python-dateutil, pytz
Required-by: vaultpythonsdk
bash-4.2# pip3 show cryptography
Name: cryptography
Version: 40.0.2
Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The Python Cryptographic Authority and individual contributors
Author-email: cryptography-dev@python.org
License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0
Location: /usr/local/lib64/python3.6/site-packages
Requires: cffi
Required-by: oci, pyOpenSSL
Cryptography:40.0.2 has this security vulnerability -
GHSA-cf7p-gm2m-833m
https://nvd.nist.gov/vuln/detail/CVE-2023-38325
Can we please get this fixed by fixing the cryptography version as >= 41.0.0
Hi @bnaganathan , thanks for reporting it, we will take a look as soon as we can. Thanks.
Hi @bnaganathan oci allows cryptography>=41.0.0, please see https://github.com/oracle/oci-python-sdk/blob/master/setup.py#L35 ("cryptography>=3.2.1,<42.0.0"). You can choose a version of cryptography within this range.
If you installed oci as a dependency of another library, does that library have its own restrictions on cryptography versions?
It is not an issue with OCI. We are using old version of python (3.6). We are going to upgrade Python to fix this vulnerability.