Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cryptography pin to 38.0.1 includes CVE-2023-0286 #26210

Closed
dsteeley opened this issue Apr 20, 2023 · 5 comments
Closed

cryptography pin to 38.0.1 includes CVE-2023-0286 #26210

dsteeley opened this issue Apr 20, 2023 · 5 comments
Assignees
@bebound @jiasli
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Installation
Milestone
Backlog

Comments

@dsteeley
Copy link

Being flagged for CVE-2023-0286 which is included by azure-cli Linux package install.

https://github.com/Azure/azure-cli/blame/dev/src/azure-cli/requirements.py3.Linux.txt#L98

Could you please investigate bumping this version to resolve the CVE?

The version was bumped but then reverted in f345be6, is there a ticket tracking resolving why the latest version of cryptography isn't used?
@ghost ghost added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Installation labels Apr 20, 2023
@ghost ghost assigned jiasli Apr 20, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented Apr 20, 2023

Thank you for opening this issue, we will look into it.

@ghost ghost added this to the Backlog milestone Apr 20, 2023
@yonzhan yonzhan added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Apr 20, 2023
@bebound
Copy link
Contributor

bebound commented Apr 21, 2023

I've explained in #25690
We'll bump it with the release of Windows 64-bit version.

@MallocArray
Copy link

Looks like it was bumped to 38.04 but still showing as vulnerable to the CVE, but fixed in 39.0.1

https://avd.aquasec.com/nvd/2023/cve-2023-0286/

@yonzhan yonzhan added feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels May 15, 2023
@tspearconquest
Copy link
Contributor

This isn't good. There is a second CVE, CVE-2023-38325, in cryptography, and the Azure-CLI was left unfixed because of blocking the upgrade of the cryptography package on waiting for the Windows 64-bit version release of the Azure-CLI, which hadn't come out in over 4 months.

These fixes need higher priority for the (probably) higher percentage of users on MacOS and Linux; we can't leave users running with high severity and critical CVEs in security-sensitive environments.

With that being said, I believe this issue can be closed because the Azure-CLI release 2.51.0 now supports x86_64 and has the cryptography package upgraded to 41.0.2.

@bebound
Copy link
Contributor

bebound commented Aug 2, 2023

Close as #26903 is merged.

@bebound bebound closed this as completed Aug 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bebound bebound

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Installation
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
6 participants
@bebound @jiasli @MallocArray @yonzhan @tspearconquest @dsteeley