Critical security vulnerability in package cryptography

talkiq / gcloud-aio

(Asyncio OR Threadsafe) Google Cloud Client Library for Python

https://talkiq.github.io/gcloud-aio

265 stars 90 forks source link

Critical security vulnerability in package cryptography #591

Closed JensMadsen closed 1 year ago

JensMadsen commented 1 year ago

This CVE https://github.com/advisories/GHSA-x4qr-2fvf-3mr5 and https://www.openssl.org/news/secadv/20221213.txt

I looked into submitting a PR myself but you explicitly specify a range of valid cryptography versions so I am not sure what to do.

The cryptography package should be upgraded to v39.0.1

chrisguidry commented 1 year ago

There's an open PR on it but not much movement: https://github.com/talkiq/gcloud-aio/pull/562

We've manually force upgraded cyptography after installing our other dependencies and v39.0.1 does work fine for our workload.

TheKevJames commented 1 year ago

Fixed and releasing in gcloud-*-auth v4.1.6.

Sorry for the crazy delay, maintaining this repo with python2.7 support, given how the PyPA folks keep tearing out backwards compatibility, is becoming a giant time suck. Hopefully we can drop that support soon and get this repo into a better place!