GHSA-jm77-qphf-c4w8: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-jm77-qphf-c4w8) affects pyca/cryptography's wheels which include a statically linked copy of OpenSSL. The issue impacts versions 0.8 through 41.0.2, with the fix available in version 41.0.3, released on August 1, 2023. This security concern specifically affects users installing from wheels built by the cryptography project and distributed on PyPI (GitHub Advisory).

The vulnerability stems from multiple security issues in the included OpenSSL versions. The issues include problems with AES-SIV implementation ignoring empty associated data entries (CVE-2023-2975) and excessive time spent checking DH keys and parameters (CVE-2023-3446, CVE-2023-3817). The severity is classified as Low, primarily affecting the OpenSSL components bundled with the cryptography package (OpenSSL Advisory, OpenSSL Advisory, OpenSSL Advisory).

The impact varies depending on the specific OpenSSL vulnerability, but includes potential denial of service through excessive time spent checking DH keys and parameters, and authentication issues with AES-SIV implementation where empty data entries might be ignored. The vulnerabilities primarily affect applications that use specific OpenSSL functions for checking DH keys or parameters (OpenSSL Advisory).

Users should upgrade to cryptography version 41.0.3 or later, which includes OpenSSL 3.1.2 with all security fixes. For users building from source (sdist), they are responsible for upgrading their own copy of OpenSSL. The update also includes fixes for a performance regression in loading DH public keys and a memory leak in ChaCha20Poly1305 (GitHub Commit).