Raise cryptography upper bound to <50.0.0 (allow 48.x/49.x); unblocks GHSA-537c security fix#880
Open
Amitheshkn wants to merge 1 commit into
Open
Conversation
Signed-off-by: Amitheshkn <amitheshkn@gmail.com>
|
Thank you for your pull request and welcome to our community! To contribute, please sign the Oracle Contributor Agreement (OCA).
To sign the OCA, please create an Oracle account and sign the OCA in Oracle's Contributor Agreement Application. When signing the OCA, please provide your GitHub username. After signing the OCA and getting an OCA approval from Oracle, this PR will be automatically updated. If you are an Oracle employee, please make sure that you are a member of the main Oracle GitHub organization, and your membership in this organization is public. |
oracle-contributor-agreement
Bot
added
the
OCA Required
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Raise the cryptography upper-bound constraint from <47.0.0 to <50.0.0 in setup.py and requirements.txt .
↔️ cryptography bridge is intact
cryptography 48.0.1 ships the fix for GHSA-537c-gmf6-5ccf (CVE-2026-9076 — a heap out-of-bounds read in the OpenSSL statically linked into cryptography's wheels; OpenSSL advisory 2026-06-09). The current <47.0.0 cap pins downstream applications at cryptography 46.0.7 — the highest version below the fix — so they cannot remediate this HIGH advisory while oci is a dependency. This also affects Python 3.14 free-threaded installs (see #805).
The SDK uses only stable cryptography APIs (RSA signing, key serialization, hashes/HMAC, EC/Ed25519/Ed448, ciphers). Verified in a clean virtualenv: oci==2.180.0 imports and runs on
cryptography==48.0.1 and 49.0.0 :
- oci.core.ComputeClient / oci.core.VirtualNetworkClient import cleanly
- oci.signer.Signer RSA request-signing path works
- oci.signer.load_private_key works
- the pyOpenSSL
pip check reports no issues beyond the (now-raised) cap itself.
Scope
- setup.py : cryptography>=3.2.1,<47.0.0 → <50.0.0
- requirements.txt : same bound on the non-3.9.0/3.9.1 line
- The py3.9.0/3.9.1 pin ( cryptography==42.0.8 ) and pyOpenSSL<27.0.0 are unchanged.
If a smaller increment is preferred, <49.0.0 would still unblock the security fix (cryptography 48.0.1).
Refs: #805