GHSA-h4gh-qq45-vh27: 
Python vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-h4gh-qq45-vh27) was identified in pyca/cryptography versions 37.0.0 through 43.0.0. The issue stems from the statically linked copy of OpenSSL included in cryptography wheels, which contains a security vulnerability. This vulnerability was published and reviewed on September 3, 2024, affecting the pip package cryptography (GitHub Advisory).

The underlying vulnerability (CVE-2024-6119) in OpenSSL involves applications performing certificate name checks that may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. This issue specifically affects basic certificate validation processes. The vulnerability is present in OpenSSL versions 3.0, 3.1, 3.2, and 3.3, though FIPS modules in these versions are not affected (OpenSSL Advisory).

The vulnerability can result in abnormal termination of the application process, potentially causing a denial of service. This primarily affects applications performing certificate name checks, such as TLS clients checking server certificates. The impact is particularly relevant when applications specify an expected DNS name, Email address, or IP address (OpenSSL Advisory).

Users are advised to upgrade to cryptography version 43.0.1 or later. For those building cryptography from source (sdist), they are responsible for upgrading their copy of OpenSSL. Only users installing from wheels built by the cryptography project (distributed on PyPI) need to update their cryptography versions (GitHub Advisory).