pysaml2 icon indicating copy to clipboard operation
pysaml2 copied to clipboard

feat: bump pyopenssl 24.3.x

Open miettal opened this issue 8 months ago • 1 comments

Description

This PR upgrade pyopenssl dependency to address security alert.

The feature or problem addressed by this PR

This PR is for addressing security alert GHSA-79v4-65xg-pq4g.

https://github.com/advisories/GHSA-79v4-65xg-pq4g

What your changes do and why you chose this solution

Current constraints is <24.3.0(up to 24.2.x). New constratints is <24.4.0(up to 24.3.x).

Checklist

  • [x] Checked that no other issues or pull requests exist for the same issue/change
  • [-] Added tests covering the new functionality
  • [-] Updated documentation OR the change is too minor to be documented
  • [] Updated CHANGELOG.md OR changes are insignificant

// I guess this constratints is for pyopenssl->cryptography migration. https://github.com/IdentityPython/pysaml2/pull/977 https://github.com/IdentityPython/pysaml2/commit/735bfa5327f42080ef60e9fd31d8d31029d98e21

miettal avatar Mar 13 '25 01:03 miettal

First off, thank you for the great work in building and maintaining this project! I was wondering if it might be possible to get this merged and released?

gagantrivedi avatar Apr 30 '25 09:04 gagantrivedi

Note that #977 aims to remove pyopenssl all together and conflicts with this PR

prauscher avatar Jul 23 '25 13:07 prauscher

Hi, In Openstack we also have to bump pyopenssl (https://review.opendev.org/c/openstack/requirements/+/958191/2/upper-constraints.txt ), thanks for working on this (or removing the dependency to pyopenssl)

katonalala avatar Sep 10 '25 09:09 katonalala

With 735bfa5 pyOpenSSL was restricted to <24.3.0. This happened because v24.3.0 removed code that is used by this package. See the relevant changelog here: https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst#2430-2024-11-27

This disallows us to update pyOpenSSL atm. With #977 there is ongoing work to replace pyOpenSSL with pyca/cryptography entirely.

Given this issue, I cannot proceed to merge this.

c00kiemon5ter avatar Oct 04 '25 14:10 c00kiemon5ter