search

apple / app-store-server-library-python

MIT License
168 stars 31 forks source link

Raise maximum version of cryptography #59

Closed WFT closed 9 months ago

WFT commented 9 months ago

Explanation

The cryptography dependency is limited to cryptographty >= 40.0.0, < 42 in your setup.py. I suggest allowing major version 42.

Motivation

The latest version of cryptography (42.0.4) fixes a CVE:

* Fixed a null-pointer-dereference and segfault that could occur when creating
  a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
  issue. **CVE-2024-26130**

Since this library limits its version of cryptography, no one who depends on this library can use the updated version.

Version 42 Changes

The cryptography changelog only lists two ‘backwards incompatible changes’ in version 42. I don’t see any direct usage of the two mentioned functions using GitHub code search, but I’m not familiar with all the ways cryptography might be used in this library.

* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7.
* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using
    :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
  or
  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
  will now raise a ``ValueError`` rather than return an empty list.
alexanderjordanbaker commented 9 months ago

PR #61 will cover this

WFT commented 9 months ago

Thanks!