StackStorm · arm4b · Nov 3, 2023 · Nov 2, 2023 · Nov 2, 2023 · Nov 2, 2023
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -22,6 +22,8 @@ Fixed
 
 * Fix codecov failures for stackstorm/st2 tests. #6035, #6046, #6048
 
+* Update cryptography 3.4.7 -> 39.0.1, pyOpenSSL 21.0.0 -> 23.1.0, paramiko 2.10.5 -> 2.11.0 (security). #6055
+
 Added
 ~~~~~
 

diff --git a/contrib/runners/python_runner/python_runner/python_action_wrapper.py b/contrib/runners/python_runner/python_runner/python_action_wrapper.py
@@ -15,11 +15,11 @@
 
 from __future__ import absolute_import
 
-# Ignore CryptographyDeprecationWarning warnings which appear on older versions of Python 2.7
+# Ignore CryptographyDeprecationWarning warnings which appear on Python 3.6
+# TODO: Remove after dropping python3.6
 import warnings
-from cryptography.utils import CryptographyDeprecationWarning
 
-warnings.filterwarnings("ignore", category=CryptographyDeprecationWarning)
+warnings.filterwarnings("ignore", message="Python 3.6 is no longer supported")
 
 import os
 import sys

diff --git a/fixed-requirements.txt b/fixed-requirements.txt
@@ -7,7 +7,7 @@ chardet<3.1.0
 cffi<1.15.0
 # NOTE: 2.0 version breaks pymongo work with hosts
 dnspython>=1.16.0,<2.0.0
-cryptography==3.4.7
+cryptography==39.0.1
 # Note: 0.20.0 removed select.poll() on which some of our code and libraries we
 # depend on rely
 eventlet==0.30.2
@@ -36,15 +36,16 @@ decorator==4.4.2
 # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details
 oslo.config>=1.12.1,<1.13
 oslo.utils<5.0,>=4.0.0
-paramiko==2.10.5
+# paramiko 2.11.0 is needed by cryptography > 37.0.0
+paramiko==2.11.0
 passlib==1.7.4
 prompt-toolkit==1.0.15
 pyinotify==0.9.6 ; platform_system=="Linux"
 pymongo==3.11.3
 pyparsing<3
 zstandard==0.15.2
-# pyOpenSSL 22.0.0 requires cryptography>=35.0
-pyOpenSSL<=21.0.0
+# pyOpenSSL 23.1.0 supports cryptography up to 40.0.x
+pyOpenSSL==23.1.0
 python-editor==1.0.4
 python-keyczar==0.716
 pytz==2021.1

diff --git a/requirements.txt b/requirements.txt
@@ -14,7 +14,7 @@ bcrypt==3.2.0
 cffi<1.15.0
 chardet<3.1.0
 ciso8601
-cryptography==3.4.7
+cryptography==39.0.1
 decorator==4.4.2
 dnspython>=1.16.0,<2.0.0
 eventlet==0.30.2
@@ -40,12 +40,12 @@ orjson==3.5.2
 orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0
 oslo.config>=1.12.1,<1.13
 oslo.utils<5.0,>=4.0.0
-paramiko==2.10.5
+paramiko==2.11.0
 passlib==1.7.4
 prettytable==2.1.0
 prompt-toolkit==1.0.15
 psutil==5.8.0
-pyOpenSSL<=21.0.0
+pyOpenSSL==23.1.0
 pyinotify==0.9.6 ; platform_system=="Linux"
 pymongo==3.11.3
 pyparsing<3

diff --git a/st2client/requirements.txt b/st2client/requirements.txt
@@ -8,14 +8,14 @@
 argcomplete==1.12.2
 cffi<1.15.0
 chardet<3.1.0
-cryptography==3.4.7
+cryptography==39.0.1
 importlib-metadata==3.10.1
 jsonpath-rw==1.4.0
 jsonschema==2.6.0
 orjson==3.5.2
 prettytable==2.1.0
 prompt-toolkit==1.0.15
-pyOpenSSL<=21.0.0
+pyOpenSSL==23.1.0
 pysocks
 python-dateutil==2.8.1
 python-editor==1.0.4

diff --git a/st2client/st2client/shell.py b/st2client/st2client/shell.py
@@ -22,11 +22,11 @@
 from __future__ import print_function
 from __future__ import absolute_import
 
-# Ignore CryptographyDeprecationWarning warnings which appear on older versions of Python 2.7
+# Ignore CryptographyDeprecationWarning warnings which appear on Python 3.6
+# TODO: Remove after dropping python3.6
 import warnings
-from cryptography.utils import CryptographyDeprecationWarning
 
-warnings.filterwarnings("ignore", category=CryptographyDeprecationWarning)
+warnings.filterwarnings("ignore", message="Python 3.6 is no longer supported")
 
 import os
 import sys

diff --git a/st2common/requirements.txt b/st2common/requirements.txt
@@ -11,7 +11,7 @@ apscheduler==3.7.0
 cffi<1.15.0
 chardet<3.1.0
 ciso8601
-cryptography==3.4.7
+cryptography==39.0.1
 decorator==4.4.2
 dnspython>=1.16.0,<2.0.0
 eventlet==0.30.2
@@ -29,8 +29,8 @@ networkx>=2.5.1,<2.6
 orjson==3.5.2
 orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0
 oslo.config>=1.12.1,<1.13
-paramiko==2.10.5
-pyOpenSSL<=21.0.0
+paramiko==2.11.0
+pyOpenSSL==23.1.0
 pymongo==3.11.3
 python-dateutil==2.8.1
 python-statsd==2.1.0

diff --git a/st2common/tests/integration/log_unicode_data.py b/st2common/tests/integration/log_unicode_data.py
@@ -20,6 +20,12 @@
 
 from __future__ import absolute_import
 
+# Ignore CryptographyDeprecationWarning warnings which appear on Python 3.6
+# TODO: Remove after dropping python3.6
+import warnings
+
+warnings.filterwarnings("ignore", message="Python 3.6 is no longer supported")
+
 import os
 import sys
 

diff --git a/st2common/tests/integration/test_logging.py b/st2common/tests/integration/test_logging.py
@@ -15,6 +15,12 @@
 
 from __future__ import absolute_import
 
+# Ignore CryptographyDeprecationWarning warnings which appear on Python 3.6
+# TODO: Remove after dropping python3.6
+import warnings
+
+warnings.filterwarnings("ignore", message="Python 3.6 is no longer supported")
+
 import os
 import sys
 import signal