gpdb icon indicating copy to clipboard operation
gpdb copied to clipboard

Published 20 hours ago verified publisher icon greenplum-db

Change cryptography package version

Open jnihal opened this issue 3 years ago • 6 comments

In cryptography package version 3.2 when certain sequences of update() calls with large values (multiple GBs) for symmetric encryption or decryption occur, it's possible for an integer overflow to happen, leading to the mishandling of buffers. This is patched in version 3.3.2 and newer.

This commit changes the package version from 3.2 to 3.3.2.

Here are some reminders before you submit the pull request

  • [ ] Add tests for the change
  • [ ] Document changes
  • [ ] Communicate in the mailing list if needed
  • [ ] Pass make installcheck
  • [ ] Review a PR in return to support the community

jnihal avatar Sep 09 '22 12:09 jnihal

@jnihal Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

pivotal-cla avatar Sep 09 '22 12:09 pivotal-cla

@jnihal Thank you for signing the Contributor License Agreement!

pivotal-cla avatar Sep 09 '22 12:09 pivotal-cla

Curious to know what exact purpose this package or dependency is used?

ashwinstar avatar Sep 09 '22 13:09 ashwinstar

Curious to know what exact purpose this package or dependency is used?

@ashwinstar We do not use this package directly in our code, but seems like it is a dependent package for openssl.

jnihal avatar Sep 12 '22 07:09 jnihal

Curious to know what exact purpose this package or dependency is used?

@ashwinstar We do not use this package directly in our code, but seems like it is a dependent package for openssl.

So, how are we making sure there is no impact from upgrading the package? Plus, its listed in dev requirements, which seems then is not shipped but only used internally for some testing?

ashwinstar avatar Sep 12 '22 15:09 ashwinstar

So, how are we making sure there is no impact from upgrading the package?

@ashwinstar I ran the pipeline for this branch, and there were no issues caused by this change.

Plus, its listed in dev requirements, which seems then is not shipped but only used internally for some testing?

Yes, it is not shipped and it is used to install packages, before running the behave test cases on the pipeline.

jnihal avatar Sep 13 '22 14:09 jnihal

After a discussion with Ashwin, these packages/dependencies in the file should be baked into the images and should not be installed every time before a test needs to be run on the pipeline (which leads to more time and is less secure). The above part will be tracked separately and for now, since updating the package seems to not cause any failures in the pipeline, we can commit this change.

jnihal avatar Sep 23 '22 05:09 jnihal