Update cryptography requirements.txt

[skjensen]

Targeting https://nvd.nist.gov/vuln/detail/CVE-2023-5678 with the updated version of cryptography.

Changes

Please describe both what is changing and why this is important. Include:

• Endpoints added, deleted, deprecated, or changed
• Classes and methods added, deleted, deprecated, or changed
• Screenshots of new or changed UI, if applicable
• A summary of usage if this is a new feature or change to a public API (this should also be added to relevant documentation once released)
• Any alternative designs or approaches considered

References

Please include relevant links supporting this change such as a:

• support ticket
• community post
• StackOverflow post
• support forum thread

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

• [ ] This change adds unit test coverage
• [ ] This change adds integration test coverage
• [ ] This change has been tested on the latest version of the platform/language or why not

Checklist

• [ ] I have read the Auth0 general contribution guidelines
• [ ] I have read the Auth0 Code of Conduct
• [ ] All existing and new tests complete without errors

[AVerrico-Eyeonic]

It would be great if this could be resolved, as it is currently preventing many people from easily updating cryptography to resolve this vulnerability.

[zeisss]

Any update on this? I would really like to get our security vulnerability alerts fixed.

cc @ewanharris

[wmyre]

This is now popping up on security alerts for CVE-2024-26130. It would be nice for cryptography to be updated to use 42.0.4 please. https://nvd.nist.gov/vuln/detail/CVE-2024-26130

[wmyre]

@skjensen this should be a priority if possible please! I would expect an influx of requests to come in regarding this vulnerability. Anyway someone on your team can approve this and get a pre-release setup for us to use?

[ptsavdar]

This is quite important for us as well. Thanks for prioritising it and pushing this forward.

[tylergraff]

I am running into issues with this package and the cryptography package as well. Unless I am mistaken, auth0-python==4.7.1 specifies a dependency tree that cannot be met:

auth0-python==4.7.1 requires cryptography==42.0.4 (the "correct"/"fixed" version) here: https://github.com/auth0/auth0-python/blob/6b1199fc74a8d2fc6655ffeef09ae961dc0b8c37/requirements.txt#L14 and, auth0-python==4.7.1 also requires pyopenssl==23.2.0 here: https://github.com/auth0/auth0-python/blob/6b1199fc74a8d2fc6655ffeef09ae961dc0b8c37/requirements.txt#L27 however, pyopenssl==23.2.0 requires cryptography>=38.0.0,<42,!=40.0.0,!=40.0.1 here: https://github.com/pyca/pyopenssl/blob/d024506289d16b1325c3c7ddfd12c2d83301815b/setup.py#L102

I think a solution would be to update auth0-python to require pyopenssl==24.0.0 which will accept auth0-python's required version of cryptography as seen here: https://github.com/pyca/pyopenssl/blob/7f3e4f94701a5e19ec66e3601119dd6d62043cec/setup.py#L96