cryptography<41.0.3 includes vulnerable OpenSSL version #19

mnbf9rca · 2023-09-16T22:30:00Z

see Vulnerable OpenSSL included in cryptography wheels and pyca/cryptography's wheels include vulnerable OpenSSL

python-dotenv-vault depends on cryptography<41.0.0,>=3.1.0 which prevents package managers resolving a higher version e.g.:

(venv) @mnbf9rca ➜ /workspace (chore/update_deps) $ poetry add cryptography@>=41.0.3

Because python-dotenv-vault (0.6.3) depends on cryptography (>=3.1.0,<41.0.0)
 and no versions of python-dotenv-vault match >0.6.3,<0.7.0, python-dotenv-vault (>=0.6.3,<0.7.0) requires cryptography (>=3.1.0,<41.0.0).
So, because mqtt-to-eventhub depends on both python-dotenv-vault (^0.6.3) and cryptography (^41.0.3), version solving failed.

The text was updated successfully, but these errors were encountered:

dotenv-org/python-dotenv-vault#19

mnbf9rca · 2023-11-10T10:09:04Z

additional High severity CVE-2023-38325 which would require cryptography>41.0.2 to resolve

mnbf9rca added a commit to mnbf9rca/mqtt-to-eventhub that referenced this issue Sep 16, 2023

bump package vers (#49)

8090831

dotenv-org/python-dotenv-vault#19

mnbf9rca mentioned this issue Nov 6, 2023

bump cryptography above 41.0.3 #20

Merged

nsnguyen closed this as completed in #20 Nov 13, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cryptography<41.0.3 includes vulnerable OpenSSL version #19

cryptography<41.0.3 includes vulnerable OpenSSL version #19

mnbf9rca commented Sep 16, 2023

mnbf9rca commented Nov 10, 2023

cryptography<41.0.3 includes vulnerable OpenSSL version #19

cryptography<41.0.3 includes vulnerable OpenSSL version #19

Comments

mnbf9rca commented Sep 16, 2023

mnbf9rca commented Nov 10, 2023