Closed jin-ahn closed 1 year ago
Cool but we give the minimum version of python-cryptography that will properly work for the ABI/API point of view and has the necessary features.
I am not in the business of policing what underlying OpenSSL was used.
Besides, binary distributions (like Fedora, RHEL, SuSe, Ubuntu, etc) tend to patch CVEs by backporting the fixes to previous OpenSSL versions, so a version check on OpenSSL would be detrimental, reducing the availability or forcing users to patch the code back to use their provider's OpenSSL version.
latest 1.4.2 has vulnerabilities in cryptography due to openssl version utilized. Upgrading to openssl 3.0.7+ should resolve it. https://nvd.nist.gov/vuln/detail/CVE-2022-3602