Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update cryptography requirements.txt #597

Merged
merged 1 commit into from
Feb 26, 2024
Merged

Conversation

skjensen
Copy link
Contributor

@skjensen skjensen commented Feb 5, 2024

Targeting https://nvd.nist.gov/vuln/detail/CVE-2023-5678 with the updated version of cryptography.

Changes

Please describe both what is changing and why this is important. Include:

  • Endpoints added, deleted, deprecated, or changed
  • Classes and methods added, deleted, deprecated, or changed
  • Screenshots of new or changed UI, if applicable
  • A summary of usage if this is a new feature or change to a public API (this should also be added to relevant documentation once released)
  • Any alternative designs or approaches considered

References

Please include relevant links supporting this change such as a:

  • support ticket
  • community post
  • StackOverflow post
  • support forum thread

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of the platform/language or why not

Checklist

Targeting https://nvd.nist.gov/vuln/detail/CVE-2023-5678 with the updated version of cryptography. 

Signed-off-by: Soren Jensen <jensen.sk@gmail.com>
@AVerrico-Eyeonic
Copy link

It would be great if this could be resolved, as it is currently preventing many people from easily updating cryptography to resolve this vulnerability.

@zeisss
Copy link

zeisss commented Feb 22, 2024

Any update on this? I would really like to get our security vulnerability alerts fixed.

cc @ewanharris

@wmyre
Copy link

wmyre commented Feb 22, 2024

This is now popping up on security alerts for CVE-2024-26130. It would be nice for cryptography to be updated to use 42.0.4 please. https://nvd.nist.gov/vuln/detail/CVE-2024-26130

@wmyre
Copy link

wmyre commented Feb 22, 2024

@skjensen this should be a priority if possible please! I would expect an influx of requests to come in regarding this vulnerability. Anyway someone on your team can approve this and get a pre-release setup for us to use?

@ptsavdar
Copy link

This is quite important for us as well. Thanks for prioritising it and pushing this forward.

@adamjmcgrath adamjmcgrath merged commit 155d8a5 into auth0:master Feb 26, 2024
15 checks passed
@adamjmcgrath adamjmcgrath mentioned this pull request Feb 26, 2024
adamjmcgrath added a commit that referenced this pull request Feb 26, 2024
**Security**
- Update cryptography requirements.txt
[\#597](#597)
([skjensen](https://github.com/skjensen))
@tylergraff
Copy link

I am running into issues with this package and the cryptography package as well. Unless I am mistaken, auth0-python==4.7.1 specifies a dependency tree that cannot be met:

auth0-python==4.7.1 requires cryptography==42.0.4 (the "correct"/"fixed" version) here:

cryptography==42.0.4 ; python_version >= "3.7" and python_version < "4.0"

and,
auth0-python==4.7.1 also requires pyopenssl==23.2.0 here:
pyopenssl==23.2.0 ; python_version >= "3.7" and python_version < "4.0"

however,
pyopenssl==23.2.0 requires cryptography>=38.0.0,<42,!=40.0.0,!=40.0.1 here: https://github.com/pyca/pyopenssl/blob/d024506289d16b1325c3c7ddfd12c2d83301815b/setup.py#L102

I think a solution would be to update auth0-python to require pyopenssl==24.0.0 which will accept auth0-python's required version of cryptography as seen here: https://github.com/pyca/pyopenssl/blob/7f3e4f94701a5e19ec66e3601119dd6d62043cec/setup.py#L96

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants