Upgrade cryptography to version 42.0.0 or later #34299
Comments
github-actions
bot
added
customer-reported
|
Hey, thanks for the feedback! For the Generally, the responsibility is on the user to ensure that the latest or patched version of cryptography is used in their applications. And users newly installing our packages will install the latest version of Where did you see the 41.0.7 as the "currently used version"? For our CI, I see that since we pin a |
xiangyan99
added
needs-author-feedback
|
Hi @mansi1597. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
|
Our CI should now be pulling in the latest cryptography after this change: #34307 I don't believe anything else should prevent users from pulling the latest |
|
Hey @pvaneck , Thanks for getting back to me. We were using an older version of pyopenssl which was causing this vulnerability. Updating it to pyopenssl 24.0.0 fixed the issue. Thanks for you help :) |
Is your feature request related to a problem? Please describe.
Upgrade cryptography to version 42.0.0 or later
Additional context
The currently used version of the cryptography package (41.0.7) has a reported vulnerability.
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
The package should be upgraded to version 42.0.0 or later to patch it
CVE-2023-50782
The text was updated successfully, but these errors were encountered: