pyca/cryptography’s wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt.
If you are building cryptography source (“sdist”) then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
CPE | Name | Operator | Version |
---|---|---|---|
openssl-src | lt | 300.0.12 | |
openssl-src | lt | 111.25.0 | |
cryptography | ge | 0.8.1 | |
cryptography | lt | 39.0.1 |
access.redhat.com/security/cve/cve-2023-0286
ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt
ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig
git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9
git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658
git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d
github.com/advisories/GHSA-x4qr-2fvf-3mr5
github.com/pyca/cryptography/security/advisories/GHSA-x4qr-2fvf-3mr5
nvd.nist.gov/vuln/detail/CVE-2023-0286
rustsec.org/advisories/RUSTSEC-2023-0006.html
security.gentoo.org/glsa/202402-08
www.openssl.org/news/secadv/20230207.txt