Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump cryptography to 42.0.2 and PyOpenSSL to 24.0.0 #3340

Merged
merged 1 commit into from Feb 8, 2024
Merged

Bump cryptography to 42.0.2 and PyOpenSSL to 24.0.0 #3340

merged 1 commit into from Feb 8, 2024

Conversation

ecerulm
Copy link
Contributor

@ecerulm ecerulm commented Feb 6, 2024

cryptography 41.0.6 has a moderate security vulnerability

https://github.com/urllib3/urllib3/security/dependabot/12

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

@dependabot has identified this in #3339 but it failed to update PyOpenSSL accordingly
hence this PR

Closes #3339

@ecerulm ecerulm added the Skip Changelog Pull requests that don't require a changelog entry label Feb 6, 2024
@ecerulm
Copy link
Contributor Author

ecerulm commented Feb 6, 2024
edited

The vulnerability seems to affect only servers so in principle I guess that it does not really matter for urllib3.

Also I wonder if we should just use

cryptography>=42.0.0

instead of pinning a specific version like we do now.

PyOpenSSL 24.0.0 currently allows cryptography>=41.0.5,<43, so we need to force cryptography>=42.0.0 if we want to avoid pip resolving to cryptography==41.0.5
https://github.com/pyca/pyopenssl/blob/482b95ec4bbd5d9dbd37194517ffd8ab9acdeff7/setup.py#L96C13-L96C40

@ecerulm ecerulm mentioned this pull request Feb 6, 2024
Closed
pquentin
pquentin approved these changes Feb 8, 2024
View reviewed changes
Copy link
Member

@pquentin pquentin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! LGTM. Pinning avoids surprises and means there's one less thing to worry about when we see a test failing. The downside is indeed that we need to work to upgrade pins. We unfortunately can't use pip-compile because it only supports one Python version at at a time.

@pquentin pquentin merged commit 12f9233 into urllib3:main Feb 8, 2024
34 of 37 checks passed
@ecerulm ecerulm deleted the update_cryptography branch February 8, 2024 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pquentin pquentin pquentin approved these changes

Assignees
No one assigned
Labels
Skip Changelog Pull requests that don't require a changelog entry
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ecerulm @pquentin