Pysaml2 security vulnerability

[itsBrady]

Our security scanner is flagging version cryptography==43.0.3

This comes from the latest version of pysaml2

pysaml2==7.5.4

We can't just bump cryptography to 44.0.1 in the req's because pyopenSSL (also a dependency of pysaml2) doesn't allow.

cryptography==43.0.3
# via
# pyopenssl
# pysaml2

pyopenssl==24.2.1
# via pysaml2

Can you release a patch bumping pyopenssl, and cryptography please.

[itsBrady]

 PACKAGE      │ VULNERABILITY ID │ INSTALLED VERSION │ FIXED VERSION │ SEVERITY │ CVSS2 │ CVSS3 │ STATUS │
├──────────────┼──────────────────┼───────────────────┼───────────────┼──────────┼───────┼───────┼────────┤
│ cryptography │ CVE-2024-12797   │ 43.0.3            │ 44.0.1        │ HIGH     │       │ 7.4   │ FAILED │

[mikicz]

Ideally this would get addressed by #977

[itsBrady]

Is there any ideas on when/if that will be going out?

[itsBrady]

@c00kiemon5ter apologies if you are not the correct person to ask, but is this on the radar to patch?

[lstorme]

following, and we should remove PyOpenSSL dependency

[spaceone]

@c00kiemon5ter What are the plans for the several reported security issues. It looks a little bit like this project is unmaintained. There are many requests for them to be addressed. A statement from you would be good.

[spaceone]

This is the same issue as #1024