Cryptography security vulnerabilities CVE-2023-50782, CVE-2023-5678, CVE-2023-6129, CVE-2023-6237

Question

Cryptography security vulnerabilities CVE-2023-50782, CVE-2023-5678, CVE-2023-6129, CVE-2023-6237

nkatomeris-r7 opened this issue 5 months ago · 6 comments

nkatomeris-r7 commented 5 months ago

Snyk reports multiple security vulnerabilities for cryptography < 42:

Is it possible to extend the current requirements "cryptography>=3.2.1,<42.0.0", to fix the above?

Answer 1 · 2024-02-05T17:19:59.000Z

Thanks @nkatomeris-r7. We will work on this to update the version set with no security vulnerability.

Answer 2 · 2024-02-06T23:23:23.000Z

this is going to be a repeating issue, I'd suggest reconsidering how this dep is pinned #548

Answer 3 · 2024-02-20T14:33:23.000Z

I've added a pr with the two line change, see #624

Answer 4 · 2024-02-21T20:28:09.000Z

@jyotisaini any updates? requiring software with known cves is a bad look, especially given how trivial the fix is.

Answer 5 · 2024-02-21T20:34:48.000Z

Hi @kapilt This is WIP at the moment and we are running tests internally to make sure nothing is breaking post upgrade. We will release the fix in the next release.

Answer 6 · 2024-02-28T20:17:10.000Z

The fix was released with v2.123.0 https://github.com/oracle/oci-python-sdk/releases/tag/v2.123.0