New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pyOpenSSL requirement pins us to an unecessarily-old cryptography module #293
Labels
Comments
NOTE: this is a related, but not the same, issue as raised in #212, which was resolved by loosening pulpcore's restrictions. It could be also be addressed by going to cryptography directly, as described in #143 . However, there is validation done in PyOpenSSL that isn't yet ready for primetime even in crypto-42.0. For the moment, this change gets us to newer code with a little effort. |
ggainey
added a commit
to ggainey/pulp-certguard
that referenced
this issue
Oct 11, 2023
ggainey
added a commit
that referenced
this issue
Oct 16, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently we have require
PyOpenSSL<23.0
in requirements.txt. This version requirescryptography>=38.0.0,<39
, which means we are missing a CVE that cryptography addresses in 39.0.1.pulpcore now has widened its crypto-requirement to
cryptography>=38.0.1,<41.0.5
. This means we can widen our PyOpenSSL requirement to <24.0, which allows the installation to choose cryptography 41.0 and satisfy core and pulp-certguard.The text was updated successfully, but these errors were encountered: