cryptography pin to 38.0.1 includes CVE-2023-0286

[dsteeley]

Being flagged for CVE-2023-0286 which is included by azure-cli Linux package install.

https://github.com/Azure/azure-cli/blame/dev/src/azure-cli/requirements.py3.Linux.txt#L98

Could you please investigate bumping this version to resolve the CVE?

The version was bumped but then reverted in f345be6, is there a ticket tracking resolving why the latest version of cryptography isn't used?

[yonzhan]

Thank you for opening this issue, we will look into it.

[bebound]

I've explained in #25690
We'll bump it with the release of Windows 64-bit version.

[MallocArray]

Looks like it was bumped to 38.04 but still showing as vulnerable to the CVE, but fixed in 39.0.1

https://avd.aquasec.com/nvd/2023/cve-2023-0286/

[tspearconquest]

This isn't good. There is a second CVE, CVE-2023-38325, in cryptography, and the Azure-CLI was left unfixed because of blocking the upgrade of the cryptography package on waiting for the Windows 64-bit version release of the Azure-CLI, which hadn't come out in over 4 months.

These fixes need higher priority for the (probably) higher percentage of users on MacOS and Linux; we can't leave users running with high severity and critical CVEs in security-sensitive environments.

With that being said, I believe this issue can be closed because the Azure-CLI release 2.51.0 now supports x86_64 and has the cryptography package upgraded to 41.0.2.

[bebound]

Close as #26903 is merged.