Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cryptography dependency to 39.0.2 #16363

Closed
fdalmaup opened this issue Mar 10, 2023 · 4 comments · Fixed by #16369
Closed

Update cryptography dependency to 39.0.2 #16363

fdalmaup opened this issue Mar 10, 2023 · 4 comments · Fixed by #16369
Assignees
@fdalmaup
Labels
level/task module/framework type/bug/vulnerability Exploitable vulnerability type/bug Something isn't working

Comments

@fdalmaup
Copy link
Member

Description

After the analysis carried out in #16128 due to several vulnerabilities, the team has decided to update the cryptography dependency to the latest stable version: 39.0.2.

This is the dependencies tree:

/var/ossec/framework/python/bin/pipdeptree
aiohttp-cache==2.2.0
  - aiohttp [required: >=3.6,<4.0, installed: 3.8.1]
    - aiosignal [required: >=1.1.2, installed: 1.2.0]
      - frozenlist [required: >=1.1.0, installed: 1.2.0]
    - async-timeout [required: >=4.0.0a3,<5.0, installed: 4.0.2]
    - attrs [required: >=17.3.0, installed: 20.3.0]
    - charset-normalizer [required: >=2.0,<3.0, installed: 2.0.4]
    - frozenlist [required: >=1.1.1, installed: 1.2.0]
    - multidict [required: >=4.5,<7.0, installed: 5.1.0]
    - yarl [required: >=1.0,<2.0, installed: 1.6.3]
      - idna [required: >=2.0, installed: 2.9]
      - multidict [required: >=4.0, installed: 5.1.0]
  - aioredis [required: >=1.3,<2.0, installed: 1.3.1]
    - async-timeout [required: Any, installed: 4.0.2]
    - hiredis [required: Any, installed: 1.1.0]
  - envparse [required: >=0.2.0,<0.3.0, installed: 0.2.0]
aiohttp-cors==0.7.0
  - aiohttp [required: >=1.1, installed: 3.8.1]
    - aiosignal [required: >=1.1.2, installed: 1.2.0]
      - frozenlist [required: >=1.1.0, installed: 1.2.0]
    - async-timeout [required: >=4.0.0a3,<5.0, installed: 4.0.2]
    - attrs [required: >=17.3.0, installed: 20.3.0]
    - charset-normalizer [required: >=2.0,<3.0, installed: 2.0.4]
    - frozenlist [required: >=1.1.1, installed: 1.2.0]
    - multidict [required: >=4.5,<7.0, installed: 5.1.0]
    - yarl [required: >=1.0,<2.0, installed: 1.6.3]
      - idna [required: >=2.0, installed: 2.9]
      - multidict [required: >=4.0, installed: 5.1.0]
aiohttp-jinja2==1.4.2
  - aiohttp [required: >=3.6.3, installed: 3.8.1]
    - aiosignal [required: >=1.1.2, installed: 1.2.0]
      - frozenlist [required: >=1.1.0, installed: 1.2.0]
    - async-timeout [required: >=4.0.0a3,<5.0, installed: 4.0.2]
    - attrs [required: >=17.3.0, installed: 20.3.0]
    - charset-normalizer [required: >=2.0,<3.0, installed: 2.0.4]
    - frozenlist [required: >=1.1.1, installed: 1.2.0]
    - multidict [required: >=4.5,<7.0, installed: 5.1.0]
    - yarl [required: >=1.0,<2.0, installed: 1.6.3]
      - idna [required: >=2.0, installed: 2.9]
      - multidict [required: >=4.0, installed: 5.1.0]
  - jinja2 [required: >=2.10.1, installed: 3.0.0]
    - MarkupSafe [required: >=2.0.0rc2, installed: 2.1.2]
  - typing-extensions [required: >=3.7.4, installed: 3.10.0.2]
api==4.4.0
asn1crypto==1.3.0
azure-storage-blob==2.1.0
  - azure-common [required: >=1.1.5, installed: 1.1.25]
  - azure-storage-common [required: ~=2.1, installed: 2.1.0]
    - azure-common [required: >=1.1.5, installed: 1.1.25]
    - cryptography [required: Any, installed: 3.3.2]
      - cffi [required: >=1.12, installed: 1.14.4]
        - pycparser [required: Any, installed: 2.20]
      - six [required: >=1.4.1, installed: 1.14.0]
    - python-dateutil [required: Any, installed: 2.8.1]
      - six [required: >=1.5, installed: 1.14.0]
    - requests [required: Any, installed: 2.25.1]
      - certifi [required: >=2017.4.17, installed: 2022.12.7]
      - chardet [required: >=3.0.2,<5, installed: 3.0.4]
      - idna [required: >=2.5,<3, installed: 2.9]
      - urllib3 [required: >=1.21.1,<1.27, installed: 1.26.5]
boto3==1.17.85
  - botocore [required: >=1.20.85,<1.21.0, installed: 1.20.85]
    - jmespath [required: >=0.7.1,<1.0.0, installed: 0.9.5]
    - python-dateutil [required: >=2.1,<3.0.0, installed: 2.8.1]
      - six [required: >=1.5, installed: 1.14.0]
    - urllib3 [required: >=1.25.4,<1.27, installed: 1.26.5]
  - jmespath [required: >=0.7.1,<1.0.0, installed: 0.9.5]
  - s3transfer [required: >=0.4.0,<0.5.0, installed: 0.4.2]
    - botocore [required: >=1.12.36,<2.0a.0, installed: 1.20.85]
      - jmespath [required: >=0.7.1,<1.0.0, installed: 0.9.5]
      - python-dateutil [required: >=2.1,<3.0.0, installed: 2.8.1]
        - six [required: >=1.5, installed: 1.14.0]
      - urllib3 [required: >=1.25.4,<1.27, installed: 1.26.5]
connexion==2.6.0
  - clickclick [required: >=1.2, installed: 20.10.2]
    - click [required: >=4.0, installed: 8.1.3]
    - PyYAML [required: >=3.11, installed: 5.4.1]
  - flask [required: >=1.0.4, installed: 2.0.0]
    - click [required: >=7.1.2, installed: 8.1.3]
    - itsdangerous [required: >=2.0, installed: 2.0.0]
    - Jinja2 [required: >=3.0, installed: 3.0.0]
      - MarkupSafe [required: >=2.0.0rc2, installed: 2.1.2]
    - Werkzeug [required: >=2.0, installed: 2.2.3]
      - MarkupSafe [required: >=2.1.1, installed: 2.1.2]
  - inflection [required: >=0.3.1, installed: 0.3.1]
  - jsonschema [required: >=2.5.1, installed: 2.6.0]
  - openapi-spec-validator [required: >=0.2.4, installed: 0.2.6]
    - jsonschema [required: <3, installed: 2.6.0]
    - pathlib [required: Any, installed: 1.0.1]
    - PyYAML [required: >=3.13, installed: 5.4.1]
    - six [required: Any, installed: 1.14.0]
  - PyYAML [required: >=5.1, installed: 5.4.1]
  - requests [required: >=2.9.1, installed: 2.25.1]
    - certifi [required: >=2017.4.17, installed: 2022.12.7]
    - chardet [required: >=3.0.2,<5, installed: 3.0.4]
    - idna [required: >=2.5,<3, installed: 2.9]
    - urllib3 [required: >=1.21.1,<1.27, installed: 1.26.5]
Cython==0.29.21
defusedxml==0.6.0
docker==4.2.0
  - requests [required: >=2.14.2,!=2.18.0, installed: 2.25.1]
    - certifi [required: >=2017.4.17, installed: 2022.12.7]
    - chardet [required: >=3.0.2,<5, installed: 3.0.4]
    - idna [required: >=2.5,<3, installed: 2.9]
    - urllib3 [required: >=1.21.1,<1.27, installed: 1.26.5]
  - six [required: >=1.4.0, installed: 1.14.0]
  - websocket-client [required: >=0.32.0, installed: 0.57.0]
    - six [required: Any, installed: 1.14.0]
docker-pycreds==0.4.0
  - six [required: >=1.4.0, installed: 1.14.0]
docutils==0.15.2
freezegun==1.2.2
  - python-dateutil [required: >=2.7, installed: 2.8.1]
    - six [required: >=1.5, installed: 1.14.0]
future==0.18.3
google-cloud-pubsub==2.7.1
  - google-api-core [required: >=1.26.0,<3.0.0dev, installed: 1.30.0]
    - google-auth [required: >=1.25.0,<2.0dev, installed: 1.28.0]
      - cachetools [required: >=2.0.0,<5.0, installed: 4.1.0]
      - pyasn1-modules [required: >=0.2.1, installed: 0.2.8]
        - pyasn1 [required: >=0.4.6,<0.5.0, installed: 0.4.8]
      - rsa [required: >=3.1.4,<5, installed: 4.7.2]
        - pyasn1 [required: >=0.1.3, installed: 0.4.8]
      - setuptools [required: >=40.3.0, installed: 58.1.0]
      - six [required: >=1.9.0, installed: 1.14.0]
    - googleapis-common-protos [required: >=1.6.0,<2.0dev, installed: 1.51.0]
      - protobuf [required: >=3.6.0, installed: 3.19.6]
    - packaging [required: >=14.3, installed: 20.9]
      - pyparsing [required: >=2.0.2, installed: 2.4.7]
    - protobuf [required: >=3.12.0, installed: 3.19.6]
    - pytz [required: Any, installed: 2020.1]
    - requests [required: >=2.18.0,<3.0.0dev, installed: 2.25.1]
      - certifi [required: >=2017.4.17, installed: 2022.12.7]
      - chardet [required: >=3.0.2,<5, installed: 3.0.4]
      - idna [required: >=2.5,<3, installed: 2.9]
      - urllib3 [required: >=1.21.1,<1.27, installed: 1.26.5]
    - setuptools [required: >=40.3.0, installed: 58.1.0]
    - six [required: >=1.13.0, installed: 1.14.0]
  - grpc-google-iam-v1 [required: >=0.12.3,<0.13dev, installed: 0.12.3]
    - googleapis-common-protos [required: >=1.5.2,<2.0.0dev, installed: 1.51.0]
      - protobuf [required: >=3.6.0, installed: 3.19.6]
    - grpcio [required: >=1.0.0,<2.0.0dev, installed: 1.38.1]
      - six [required: >=1.5.2, installed: 1.14.0]
  - grpcio [required: >=1.38.1,<2.0dev, installed: 1.38.1]
    - six [required: >=1.5.2, installed: 1.14.0]
  - libcst [required: >=0.3.10, installed: 0.3.20]
    - pyyaml [required: >=5.2, installed: 5.4.1]
    - typing-extensions [required: >=3.7.4.2, installed: 3.10.0.2]
    - typing-inspect [required: >=0.4.0, installed: 0.7.1]
      - mypy-extensions [required: >=0.3.0, installed: 0.4.3]
      - typing-extensions [required: >=3.7.4, installed: 3.10.0.2]
  - packaging [required: >=14.3, installed: 20.9]
    - pyparsing [required: >=2.0.2, installed: 2.4.7]
  - proto-plus [required: >=1.7.1, installed: 1.19.0]
    - protobuf [required: >=3.12.0, installed: 3.19.6]
google-cloud-storage==1.39.0
  - google-auth [required: >=1.11.0,<2.0dev, installed: 1.28.0]
    - cachetools [required: >=2.0.0,<5.0, installed: 4.1.0]
    - pyasn1-modules [required: >=0.2.1, installed: 0.2.8]
      - pyasn1 [required: >=0.4.6,<0.5.0, installed: 0.4.8]
    - rsa [required: >=3.1.4,<5, installed: 4.7.2]
      - pyasn1 [required: >=0.1.3, installed: 0.4.8]
    - setuptools [required: >=40.3.0, installed: 58.1.0]
    - six [required: >=1.9.0, installed: 1.14.0]
  - google-cloud-core [required: >=1.4.1,<2.0dev, installed: 1.7.1]
    - google-api-core [required: >=1.21.0,<2.0.0dev, installed: 1.30.0]
      - google-auth [required: >=1.25.0,<2.0dev, installed: 1.28.0]
        - cachetools [required: >=2.0.0,<5.0, installed: 4.1.0]
        - pyasn1-modules [required: >=0.2.1, installed: 0.2.8]
          - pyasn1 [required: >=0.4.6,<0.5.0, installed: 0.4.8]
        - rsa [required: >=3.1.4,<5, installed: 4.7.2]
          - pyasn1 [required: >=0.1.3, installed: 0.4.8]
        - setuptools [required: >=40.3.0, installed: 58.1.0]
        - six [required: >=1.9.0, installed: 1.14.0]
      - googleapis-common-protos [required: >=1.6.0,<2.0dev, installed: 1.51.0]
        - protobuf [required: >=3.6.0, installed: 3.19.6]
      - packaging [required: >=14.3, installed: 20.9]
        - pyparsing [required: >=2.0.2, installed: 2.4.7]
      - protobuf [required: >=3.12.0, installed: 3.19.6]
      - pytz [required: Any, installed: 2020.1]
      - requests [required: >=2.18.0,<3.0.0dev, installed: 2.25.1]
        - certifi [required: >=2017.4.17, installed: 2022.12.7]
        - chardet [required: >=3.0.2,<5, installed: 3.0.4]
        - idna [required: >=2.5,<3, installed: 2.9]
        - urllib3 [required: >=1.21.1,<1.27, installed: 1.26.5]
      - setuptools [required: >=40.3.0, installed: 58.1.0]
      - six [required: >=1.13.0, installed: 1.14.0]
    - google-auth [required: >=1.24.0,<2.0dev, installed: 1.28.0]
      - cachetools [required: >=2.0.0,<5.0, installed: 4.1.0]
      - pyasn1-modules [required: >=0.2.1, installed: 0.2.8]
        - pyasn1 [required: >=0.4.6,<0.5.0, installed: 0.4.8]
      - rsa [required: >=3.1.4,<5, installed: 4.7.2]
        - pyasn1 [required: >=0.1.3, installed: 0.4.8]
      - setuptools [required: >=40.3.0, installed: 58.1.0]
      - six [required: >=1.9.0, installed: 1.14.0]
    - six [required: >=1.12.0, installed: 1.14.0]
  - google-resumable-media [required: >=1.3.0,<2.0dev, installed: 1.3.1]
    - google-crc32c [required: >=1.0,<2.0dev, installed: 1.1.2]
    - six [required: >=1.4.0, installed: 1.14.0]
  - requests [required: >=2.18.0,<3.0.0dev, installed: 2.25.1]
    - certifi [required: >=2017.4.17, installed: 2022.12.7]
    - chardet [required: >=3.0.2,<5, installed: 3.0.4]
    - idna [required: >=2.5,<3, installed: 2.9]
    - urllib3 [required: >=1.21.1,<1.27, installed: 1.26.5]
more-itertools==8.2.0
pip==21.2.4
pipdeptree==2.5.2
psutil==5.8.0
pydevd-pycharm==231.8109.4
python-jose==3.1.0
  - ecdsa [required: <1.0, installed: 0.16.1]
    - six [required: >=1.9.0, installed: 1.14.0]
  - pyasn1 [required: Any, installed: 0.4.8]
  - rsa [required: Any, installed: 4.7.2]
    - pyasn1 [required: >=0.1.3, installed: 0.4.8]
  - six [required: <2.0, installed: 1.14.0]
python-json-logger==2.0.2
secure==0.2.1
SQLAlchemy==1.3.11
tabulate==0.8.9
uvloop==0.15.2
wazuh==4.4.0
xmltodict==0.12.0
@fdalmaup fdalmaup self-assigned this Mar 10, 2023
@TomasTurina TomasTurina mentioned this issue Mar 10, 2023
Closed
@fdalmaup fdalmaup mentioned this issue Mar 13, 2023
Merged
@fdalmaup fdalmaup linked a pull request Mar 13, 2023 that will close this issue
[4.4] Update cryptography dependency #16369
Merged
@davidjiglesias davidjiglesias added level/task type/bug Something isn't working type/bug/vulnerability Exploitable vulnerability module/framework and removed team/framework labels Mar 15, 2023
@RamosFe RamosFe assigned RamosFe and fdalmaup and unassigned fdalmaup and RamosFe Mar 30, 2023
@GGP1 GGP1 mentioned this issue Apr 10, 2023
Closed
3 tasks
@TomasTurina TomasTurina mentioned this issue Apr 12, 2023
Closed
1 task
@fdalmaup
Copy link
Member Author

Issue update

The inclusion of the updated dependency is being carried out for the #13265 epic. Since this involves only the modification of the requirements.txt file and no code editing which was proved for branch 4.4, we could follow the same approach as the one mentioned in #16680 (comment) regarding the hiredis update and directly update the dependency in the epic branch.

@fdalmaup
Copy link
Member Author

Issue Update

We will follow the same approach as with #16680, the update will be carried out in the epic branch.

@mhamra mhamra mentioned this issue May 23, 2023
Closed
@EduLeon12
Copy link
Contributor

After reading all the analysis behind the version of the mentioned dependency and testing the upgrade.

I conclude that the analysis was well executed and that the scope of the issue has been fulfilled. Therefore I approve this issue.

LGTM! 👍🏼

@mhamra
Copy link
Contributor

mhamra commented May 29, 2023
edited
Loading

I agree with the decision to upgrade the package.

This issue is also referenced by #13267 and PR 16408. Package installation works well, and the unit tests performed ok after making a small change to only one test. See comment

I approve of this issue. LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fdalmaup fdalmaup

Labels
level/task module/framework type/bug/vulnerability Exploitable vulnerability type/bug Something isn't working
Projects
No open projects
Release 4.4.0
Status: Known Issue
Release 4.8.0
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[4.4] Update cryptography dependency wazuh/wazuh
6 participants
@mhamra @TomasTurina @fdalmaup @RamosFe @davidjiglesias @EduLeon12