Cryptography security vulnerabilities CVE-2023-50782, CVE-2023-5678, CVE-2023-6129, CVE-2023-6237
nkatomeris-r7 opened this issue ยท 6 comments
Snyk reports multiple security vulnerabilities for cryptography < 42:
- https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6126975 - CVE-2023-50782
- https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6050294 - CVE-2023-5678
- https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6149518 - CVE-2023-6129
- https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6157248 - CVE-2023-6237
Is it possible to extend the current requirements "cryptography>=3.2.1,<42.0.0",
to fix the above?
Thanks @nkatomeris-r7. We will work on this to update the version set with no security vulnerability.
this is going to be a repeating issue, I'd suggest reconsidering how this dep is pinned #548
@jyotisaini any updates? requiring software with known cves is a bad look, especially given how trivial the fix is.
Hi @kapilt This is WIP at the moment and we are running tests internally to make sure nothing is breaking post upgrade. We will release the fix in the next release.
The fix was released with v2.123.0 https://github.com/oracle/oci-python-sdk/releases/tag/v2.123.0