Closed skjensen closed 4 months ago
It would be great if this could be resolved, as it is currently preventing many people from easily updating cryptography to resolve this vulnerability.
Any update on this? I would really like to get our security vulnerability alerts fixed.
cc @ewanharris
This is now popping up on security alerts for CVE-2024-26130. It would be nice for cryptography to be updated to use 42.0.4 please. https://nvd.nist.gov/vuln/detail/CVE-2024-26130
@skjensen this should be a priority if possible please! I would expect an influx of requests to come in regarding this vulnerability. Anyway someone on your team can approve this and get a pre-release setup for us to use?
This is quite important for us as well. Thanks for prioritising it and pushing this forward.
I am running into issues with this package and the cryptography
package as well. Unless I am mistaken, auth0-python==4.7.1
specifies a dependency tree that cannot be met:
auth0-python==4.7.1
requires cryptography==42.0.4
(the "correct"/"fixed" version) here: https://github.com/auth0/auth0-python/blob/6b1199fc74a8d2fc6655ffeef09ae961dc0b8c37/requirements.txt#L14
and,
auth0-python==4.7.1
also requires pyopenssl==23.2.0
here: https://github.com/auth0/auth0-python/blob/6b1199fc74a8d2fc6655ffeef09ae961dc0b8c37/requirements.txt#L27
however,
pyopenssl==23.2.0
requires cryptography>=38.0.0,<42,!=40.0.0,!=40.0.1
here: https://github.com/pyca/pyopenssl/blob/d024506289d16b1325c3c7ddfd12c2d83301815b/setup.py#L102
I think a solution would be to update auth0-python
to require pyopenssl==24.0.0
which will accept auth0-python's required version of cryptography
as seen here: https://github.com/pyca/pyopenssl/blob/7f3e4f94701a5e19ec66e3601119dd6d62043cec/setup.py#L96
Targeting https://nvd.nist.gov/vuln/detail/CVE-2023-5678 with the updated version of cryptography.
Changes
Please describe both what is changing and why this is important. Include:
References
Please include relevant links supporting this change such as a:
Testing
Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.
Checklist