Dependency constraints limited to vulnerable version of cryptography

[whitej6]

Below is a copy of the dependabot alert on a library I maintain, this is marked as a low severity

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8-41.0.2 are vulnerable to several security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20230731.txt, https://www.openssl.org/news/secadv/20230719.txt, and https://www.openssl.org/news/secadv/20230714.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

[cianmcgrath]

We're aware of the issue and investigating what to do with it. Cryptography v40+ contains breaking changes for the use of it in the library, specifically in the connector at https://github.com/aristanetworks/cloudvision-python/blob/trunk/cloudvision/Connector/auth/cert.py#L24, where the list of hashing algorithms is restricted, removing the one in use. We'll need to discuss with the team that leverages this functionality specifically such that we can upgrade seamlessly cc @toransahu @gingerbus

[whitej6]

I think that issue may also impact python >=3.10, similar issues when attempting to use napalm on py3.10 on EOS.

[cianmcgrath]

Hmmm, wasn't aware of that. Good to know, thanks for the heads up

[cianmcgrath]

Just an update here is that we've merged the required changes to bump the bundled cryptography library. I'll be making a new release with the updated requirements shortly

[cianmcgrath]

Per commit 5552d31, the upgrade to the cryptography library has been completed. Please upgrade to the latest release to pull in the updated requirements. Thanks again for opening the issue!