Cryptography security vulnerabilities CVE-2023-50782, CVE-2023-5678, CVE-2023-6129, CVE-2023-6237

[nkatomeris-r7]

Snyk reports multiple security vulnerabilities for cryptography < 42:

• https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6126975 - CVE-2023-50782
• https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6050294 - CVE-2023-5678
• https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6149518 - CVE-2023-6129
• https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6157248 - CVE-2023-6237

Is it possible to extend the current requirements "cryptography>=3.2.1,<42.0.0", to fix the above?

[jyotisaini]

Thanks @nkatomeris-r7. We will work on this to update the version set with no security vulnerability.

[kapilt]

this is going to be a repeating issue, I'd suggest reconsidering how this dep is pinned #548

[kapilt]

I've added a pr with the two line change, see #624

[kapilt]

@jyotisaini any updates? requiring software with known cves is a bad look, especially given how trivial the fix is.

[jyotisaini]

Hi @kapilt This is WIP at the moment and we are running tests internally to make sure nothing is breaking post upgrade. We will release the fix in the next release.

[bhagwatvyas]

The fix was released with v2.123.0 https://github.com/oracle/oci-python-sdk/releases/tag/v2.123.0