2024.08 updates. (#177)

* Updated libffi sources to 3.4.6.

* Updated libffi version to build to 3.4.6.

* Updated zlib sources to 1.3.1.

* Updated zlib version to build to 1.3.1.

* Security updates for OpenSSL 1.1.1w from Ubuntu 20.04.

* Updated SQLite sources and DLLs to 3.46.0.

* Updated SQLite version to build/use to 3.46.0.

* Python hot patches for some CVE issues on all platforms.

* Adjusted hot fixes to cleanly apply on Windows.

* Patched Python sources for CVE-2022-48560, CVE-2022-48566, CVE-2023-40217.

* Document today's patching.

* Patched our cryptography sources for CVE-2023-49083. Other safety issues not relevant for our old versions.

* Patched our cryptography sources for CVE-2023-49083, take two.

* Ignore one more `safety` id for `requests`: 71064.

* Ignore `safety` id for one more of its deps: `idna`.

* Use last compat revision supporting Python 2.7.

* Added more Safety IDs to ignore.

* Clone more of compat to reach last revision supporting py27.

* Updated psutil version to build and use to 6.0.0.

* Try penultimate commit from py2-support branch of compat.

* Deactivate compat tests in GitHub workflows for now.

* Updated non-containerized workflows.

* Try latest version to build on CentOS 5.

* Try older psutil version to build on CentOS 5.

* Try building ARM64 Linux package on macOS.

* No Docker on GitHub's Apple Silicon macOS runners.

* Properly set an older psutil version to build on generic Linux.

* Try psutil version 5.9.6 on CentOS 5.

* Try bulding Ubuntu 18.04 package in a container.

* Try bulding Ubuntu 18.04 package in a container, take two.

* Try bulding Ubuntu 18.04 package in a container, take three.

* Patched our Python sources for CVE-2024-0397.

* Patched our OpenSSL 1.1.1 sources for CVE-2024-2511, CVE-2024-4741, CVE-2024-5535.

* Updated OpenSSL 1.1.1 version to build to 1.1.1w-chevah2.

* Patch CVE-2023-49083 for cryptography 3.2.1 the same way as for CVE-2023-23931.

* More changes after own review.

* Updated documented external deps sheets.

* Cosmetic changes for external deps sheets.

* More changes after own review.

* Fix CVE-2024-7592 for Python.

* Fix CVE-2024-7592 for Python, take two.

* Actually remove compat tests GitHub workflows.

Author: dumol

.github/workflows/bare.yaml

@@ -30,7 +30,7 @@ jobs:
       fail-fast: false
       matrix:
         # The ARM64 build actually runs on an Amazon Docker container on Laja.
-        runs-on: [ ubuntu-20.04, ubuntu-18.04, amzn-2-arm64 ]
+        runs-on: [ ubuntu-20.04, amzn-2-arm64 ]
     timeout-minutes: 120
     steps:
     - name: Prepare OS
@@ -66,11 +66,6 @@ jobs:
         cd $CHEVAH_REPO
         ./chevah_build test
 
-    - name: Compat tests
-      run: |
-        cd $CHEVAH_REPO
-        ./chevah_build compat
-
     # Upload using a (per-OS selected) sftp command, then show final links.
     - name: Upload testing package
       run: |
@@ -96,7 +91,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        runs-on: [ macos-11 ]
+        runs-on: [ macos-13 ]
     timeout-minutes: 60
     steps:
     # Avoid linking to Homebrew's libintl during build.
@@ -138,11 +133,6 @@ jobs:
         cd $CHEVAH_REPO
         ./chevah_build test
 
-    - name: Compat tests
-      run: |
-        cd $CHEVAH_REPO
-        ./chevah_build compat
-
     - name: Upload testing package
       run: |
         mkdir -pv ~/.ssh/
@@ -206,12 +196,6 @@ jobs:
         cd $CHEVAH_REPO
         ./chevah_build test
 
-    - name: Compat tests
-      shell: bash
-      run: |
-        cd $CHEVAH_REPO
-        ./chevah_build compat
-
     # To use an RSA key with SFTPPlus, install upstream OpenSSH package,
     # which is more finicky in regards to file permissions.
     # Beware the commands in this step run under PowerShell.

.github/workflows/docker.yaml

@@ -20,18 +20,17 @@ env:
   USER: chevah
   CHEVAH_CONTAINER: yes
 
-# Using a job name that doesn't contain the OS name, to minimize the risk of
-# confusion with the OS names of the containers, which are the relevant ones.
 jobs:
-  latest:
+
+  x64:
     runs-on: ubuntu-latest
     container: ${{ matrix.container }}
     strategy:
       fail-fast: false
       matrix:
         # CentOS 5.11 setup was saved as an image pushed to Docker Hub. See the
         # Overview section at https://hub.docker.com/r/proatria/centos for details.
-        container: [ 'alpine:3.12', 'centos:8.2.2004', 'proatria/centos:5.11-chevah1' ]
+        container: [ 'alpine:3.12', 'centos:8.2.2004', 'proatria/centos:5.11-chevah1', 'ubuntu:18.04' ]
     timeout-minutes: 30
     steps:
 
@@ -53,6 +52,13 @@ jobs:
         yum -y upgrade
         yum -y install git curl gcc make m4 automake libtool patch openssl-devel zlib-devel libffi-devel ncurses-devel sudo which openssh-clients
 
+    - name: Ubuntu setup
+      if: startsWith(matrix.container, 'ubuntu')
+      run: |
+        apt update
+        apt --yes dist-upgrade
+        apt --yes install curl bash gcc make m4 automake libtool patch git libffi-dev zlib1g-dev libncurses5-dev libssl-dev
+
     # On a Docker container, everything runs as root by default.
     - name: Chevah user setup
       run: |
@@ -90,13 +96,6 @@ jobs:
         cd /home/chevah/$CHEVAH_REPO
         ./chevah_build test
 
-    # Compat tests must run as regular user with sudo rights.
-    - name: Compat tests
-      run: |
-        chown -R chevah /home/chevah/$CHEVAH_REPO
-        cd /home/chevah/$CHEVAH_REPO
-        su chevah -c "./chevah_build compat"
-
     # Using `~/` is problematic under Docker, use `/root/`.
     - name: Upload testing package
       run: |

chevah_build

@@ -13,51 +13,58 @@ set -o errtrace   # trap errors in functions as well
 set -o pipefail   # don't ignore exit codes when piping output
 
 PYTHON_BUILD_VERSION="2.7.18"
-LIBFFI_VERSION="3.4.4"
-ZLIB_VERSION="1.3"
+LIBFFI_VERSION="3.4.6"
+ZLIB_VERSION="1.3.1"
 BZIP2_VERSION="1.0.8"
 # We statically build the BSD libedit on selected platforms to get the
 # readline module available without linking to the GPL-only readline libs.
 LIBEDIT_VERSION="20170329-3.1"
-OPENSSL_VERSION="1.1.1w"
-SQLITE_VERSION="3.43.1"
+# As of November 2023, security patches for OpenSSL 1.1.1 are private.
+# More at https://openssl-library.org/news/vulnerabilities-1.1.1/index.html.
+# See src/openssl/README for details on where to get them anyway.
+OPENSSL_VERSION="1.1.1w-chevah2"
+SQLITE_VERSION="3.46.0"
 
 # Python modules versions to be used everywhere possible.
 PYSQLITE_VERSION="2.8.3"
-CFFI_VERSION="1.15.1"
 SCANDIR_VERSION="1.10.0"
-PSUTIL_VERSION="5.9.5"
+# An older version is used on generic Linux to have it built on CentOS 5.
+PSUTIL_VERSION="6.0.0"
 SUBPROCESS32_VERSION="3.5.4"
 
 # Versions no longer upgradable because of Python 2 deprecation.
+CFFI_VERSION="1.15.1"
 # pyOpenSSL 19.1.0 is used with OpenSSL 1.0.2 libs.
 PYOPENSSL_VERSION="21.0.0"
 # Backported fix for https://github.com/pypa/pip/issues/9827
 # at https://github.com/chevah/pip/tree/20.3.4chevah.
 PIP_VERSION="20.3.4chevah1"
 # For safety alerts, we need to ignore some vulnerabilities which are either:
-#   * not present in the final tarball, e.g. for wheel, safety, etc.,
+#   * not present in the final tarball, e.g. for wheel, safety, requests, etc.,
 #   * not at all relevant, e.g. those for cryptography's bundled openssl,
-#   * not actually relevant for these old versions, e.g. 53048 for cryptography,
-#   * patched by us, e.g. 40291 for pip, 53048 for cryptography,
-#   * not patched: 52495 for setuptools.
+#   * not actually relevant for these old versions, e.g. 65647 for cryptography,
+#   * patched by us, e.g. 40291 for pip, 53048/62556 for cryptography,
+#   * not patched: 52495/72236 for setuptools, 59473 for cryptography.
 # pip <21.1, click <8, dparse <0.5.2, wheel <0.38, safety <2.2, pywin32 <301.
 SAFETY_IGNORED_OPTS="-i 40291 -i 47833 -i 50571 -i 51499 -i 51358 -i 54687"
 # setuptools <65.5.1, requests <2.31.0, certifi <2023.07.22.
 SAFETY_IGNORED_OPTS="$SAFETY_IGNORED_OPTS -i 52495 -i 58755 -i 52365 -i 59956"
+# requests <2.32.2, idna <3.7, setuptools <70.0.0, certifi <2024.07.04.
+SAFETY_IGNORED_OPTS="$SAFETY_IGNORED_OPTS -i 71064 -i 67895 -i 72236 -i 72083"
 # These are related to cryptography's bundled OpenSSL libs. We don't use those.
 SAFETY_IGNORED_OPTS="$SAFETY_IGNORED_OPTS -i 53306 -i 53298 -i 53305 -i 53301"
 SAFETY_IGNORED_OPTS="$SAFETY_IGNORED_OPTS -i 53307 -i 53304 -i 53302 -i 53299"
 SAFETY_IGNORED_OPTS="$SAFETY_IGNORED_OPTS -i 53303 -i 59062 -i 60225 -i 60223"
-SAFETY_IGNORED_OPTS="$SAFETY_IGNORED_OPTS -i 60224"
-# Other cryptography vulnerabilities, see a few lines above for more details.
-SAFETY_IGNORED_OPTS="$SAFETY_IGNORED_OPTS -i 53048 -i 59473"
+SAFETY_IGNORED_OPTS="$SAFETY_IGNORED_OPTS -i 60224 -i 62451 -i 62452 -i 65278"
+SAFETY_IGNORED_OPTS="$SAFETY_IGNORED_OPTS -i 65510 -i 71680 -i 71681"
+# Other cryptography vulnerabilities, see above multi-line comment for more details.
+SAFETY_IGNORED_OPTS="$SAFETY_IGNORED_OPTS -i 53048 -i 59473 -i 62556 -i 65647"
 # setuptools 44.x is the last series to support Python 2.7.
 # More at https://github.com/pypa/setuptools/pull/1955.
 SETUPTOOLS_VERSION="44.1.1"
 # Version 3.2.1 (with patches) from python-modules/ is used with OpenSSL 1.0.2.
-# Our patched versions fix CVE-2023-23931.
-CRYPTOGRAPHY_VERSION="3.3.2chevah"
+# Our patched versions are not affected by CVE-2023-23931 and CVE-2023-49083.
+CRYPTOGRAPHY_VERSION="3.3.2chevah2"
 # bcrypt 3.2.0 requires at least Python 3.6.
 BCRYPT_VERSION="3.1.7"
 # setproctitle 1.2.x requires at least Python 3.6.
@@ -325,6 +332,16 @@ case $OS in
         export PATH="/usr/local/bin:$PATH"
         # In particular, Perl's Test::Simple and its deps are required.
         execute perl -MTest::Simple -e 1
+        # Version 5.9.8 and newer of psutil can't build on RHEL 5 and clones.
+        PIP_LIBRARIES="\
+            cryptography==${CRYPTOGRAPHY_VERSION} \
+            pyOpenSSL==${PYOPENSSL_VERSION} \
+            scandir==${SCANDIR_VERSION} \
+            subprocess32==${SUBPROCESS32_VERSION} \
+            bcrypt==${BCRYPT_VERSION} \
+            psutil==5.9.6 \
+            setproctitle==${SETPROCTITLE_VERSION}
+            "
         ;;
     *)
         # Only supported Linux distributions should be left.
@@ -786,7 +803,7 @@ command_compat() {
     execute pushd build
     echo '##### Running chevah.compat tests... #####'
     execute rm -rf compat
-    execute git clone https://github.com/chevah/compat.git --depth=1 -b py2-support
+    execute git clone https://github.com/chevah/compat.git --depth 1 -b py2-support
     execute pushd compat
     # Copy over current brink stuff, as some changes might require it.
     execute cp ../../brink.{conf,sh} ./

external_deps.csv

@@ -1,35 +1,35 @@
 OS,AIX,,,Amazon,Alpine,Debian,FreeBSD,,HP-UX,macOS,OS X,RHEL,,,SLES,Solaris,,,,Ubuntu Server,,,,Windows,
-OS Version,5.3³,6.1³,7.1+¹,2+¹,3.12+¹,5.0+²,11.4³,12.2+³,11.31³,10.13+¹,10.8³,5.11-7.x¹,8.x¹,9.x¹,11SP4+²,10u8+³,11.0/11.1³,11.2³,11.4³,14.04/16.04¹,18.04¹,20.04¹,22.04¹,"XP, 2003, 2008³","2012r2, 2016, 2019, 2022¹"
+OS Version,5.3³,6.1³,7.1+²,2+¹,3.12+¹,6.0+²,11.4³,12.2+³,11.31³,10.13+¹,10.8³,5.11-7.x¹,8.x¹,9.x+¹,11SP4+²,10u8+³,11.0/11.1³,11.2³,11.4³,16.04²,18.04¹,20.04¹,22.04+¹,"XP, 2003, 2008³","2012r2, 2016, 2019, 2022¹"
 OpenSSL⁶,"1.0.2v-chevah2 (statically linked with stdlib “ssl”)
 1.0.2v-chevah2 (statically linked with cryptography)",1.0.2k (from AIX Web Download Pack Programs),"1.0.2v-chevah5¹⁵ (statically linked with stdlib “ssl”)
-1.0.2v-chevah5¹⁵ (statically linked with cryptography)","1.1.1w (statically linked with stdlib “ssl”)
-1.1.1w (statically linked with cryptography)","1.1.1w (statically linked with stdlib “ssl”)
-1.1.1w (statically linked with cryptography)","1.1.1w (statically linked with stdlib “ssl”)
-1.1.1w (statically linked with cryptography)",1.0.1u,1.0.2s,1.0.2h,"1.1.1w (statically linked with stdlib “ssl”)
-1.1.1w (statically linked with cryptography)","1.1.1g (statically built for stdlib “ssl”)
-1.1.1g (bundled with upstream cryptography 2.9.1)","1.1.1w (statically linked with stdlib “ssl”)
-1.1.1w (statically linked with cryptography)","1.1.1cFIPS /
-1.1.1k FIPS","1.1.1w (statically linked with stdlib “ssl”)
-1.1.1w (statically linked with cryptography)","1.1.1w (statically linked with stdlib “ssl”)
-1.1.1w (statically linked with cryptography)",1.0.2n (from upstream Oracle patches),1.0.0x,1.0.1h,"
-1.0.2o","1.1.1w (statically linked with stdlib “ssl”)
-1.1.1w (statically linked with cryptography)",1.1.0g,1.1.1f,"1.1.1w (statically linked with stdlib “ssl”)
-1.1.1w (statically linked with cryptography)","1.0.2t (bundled with upstream Python 2.7.18)
+1.0.2v-chevah5¹⁵ (statically linked with cryptography)","1.1.1w-chevah2 (statically linked with stdlib “ssl”)
+1.1.1w-chevah2 (statically linked with cryptography)","1.1.1w-chevah2 (statically linked with stdlib “ssl”)
+1.1.1w-chevah2 (statically linked with cryptography)","1.1.1w-chevah2 (statically linked with stdlib “ssl”)
+1.1.1w-chevah2 (statically linked with cryptography)",1.0.1u,1.0.2s,1.0.2h,"1.1.1w-chevah2 (statically linked with stdlib “ssl”)
+1.1.1w-chevah2 (statically linked with cryptography)","1.1.1g (statically built for stdlib “ssl”)
+1.1.1g (bundled with upstream cryptography 2.9.1)","1.1.1w-chevah2 (statically linked with stdlib “ssl”)
+1.1.1w-chevah2 (statically linked with cryptography)","1.1.1cFIPS /
+1.1.1k FIPS","1.1.1w-chevah2 (statically linked with stdlib “ssl”)
+1.1.1w-chevah2 (statically linked with cryptography)","1.1.1w-chevah2 (statically linked with stdlib “ssl”)
+1.1.1w-chevah2 (statically linked with cryptography)",1.0.2n (from upstream Oracle patches),1.0.0x,1.0.1h,"
+1.0.2o","1.1.1w-chevah2 (statically linked with stdlib “ssl”)
+1.1.1w-chevah2 (statically linked with cryptography)",1.1.0g,1.1.1f,"1.1.1w-chevah2 (statically linked with stdlib “ssl”)
+1.1.1w-chevah2 (statically linked with cryptography)","1.0.2t (bundled with upstream Python 2.7.18)
 1.1.1g (bundled with upstream cryptography 2.9.1)","1.0.2t⁹ (bundled with upstream Python 2.7.18)
-1.1.1w (built from upstream sources for cryptography)"
+1.1.1w-chevah2 (built from upstream sources for cryptography)"
 Python,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.8⁴,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18¹³
-SQLite,3.34.1,3.34.1,3.43.1,3.43.1,3.43.1,3.43.1,3.30.1,3.34.1,3.34.1,3.43.1,3.30.1,3.43.1,3.43.1,3.43.1,3.43.1,3.34.1,3.30.1,3.34.1,3.34.1,3.43.1,3.43.1,3.43.1,3.43.1,3.30.1 (we overwrite version from upstream Python at build time),3.43.1 (we overwrite version from upstream Python at build time)
+SQLite,3.46.0,3.34.1,3.46.0,3.46.0,3.46.0,3.46.0,3.30.1,3.46.0,3.46.0,3.46.0,3.30.1,3.46.0,3.46.0,3.46.0,3.46.0,3.46.0,3.30.1,3.46.0,3.46.0,3.46.0,3.46.0,3.46.0,3.46.0,3.30.1 (we overwrite version from upstream Python at build time),3.46.0 (we overwrite version from upstream Python at build time)
 Expat,2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.1.0⁵ (bundled with Python 2.7.8),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python)
-zlib,1.2.12,p/o,1.3,1.3,p/o,1.3,p/o,p/o,1.2.12,1.3,p/o,1.3,p/o,1.3,1.3,p/o,p/o,p/o,p/o,1.3,p/o,p/o,1.3,1.2.11⁸ (bundled with Python),1.2.11⁸ (bundled with Python)
+zlib,1.2.12,p/o,1.3.1,1.3.1,1.3.1,1.3.1,p/o,p/o,1.2.12,1.3.1,p/o,1.3.1,p/o,1.3.1,1.3.1,p/o,p/o,p/o,p/o,1.3.1,p/o,p/o,1.3.1,1.2.11⁸ (bundled with Python),1.2.11⁸ (bundled with Python)
 bzip2,1.0.8,1.0.8,1.0.8,1.0.8,1.0.8,1.0.8,p/o,p/o,1.0.8,p/o,p/o,1.0.8,1.0.8,1.0.8,1.0.8,p/o,p/o,p/o,p/o,1.0.8,1.0.8,1.0.8,1.0.8,1.0.6 (bundled with Python),1.0.6 (bundled with Python)
-libffi,3.4.4,3.4.2,3.4.4,p/o,3.4.4,3.4.4,3.4.2,3.4.2,3.4.2,p/o,p/o,3.4.4,p/o,3.4.4,3.4.4,n/a,n/a,3.4.2,3.4.2,p/o,p/o,p/o,p/o,n/a,n/a
+libffi,3.4.6,3.4.2,3.4.6,3.4.6,3.4.6,3.4.6,3.4.2,3.4.2,3.4.2,p/o,p/o,3.4.6,p/o,3.4.6,3.4.6,n/a,n/a,3.4.2,3.4.2,3.4.6,p/o,p/o,3.4.6,n/a,n/a
 libedit,n/a,n/a,n/a,n/a,20170329-3.1,n/a,20170329-3.1,20170329-3.1,n/a,n/a,20170329-3.1,n/a,20170329-3.1,n/a,n/a,n/a,20170329-3.1,20170329-3.1,20170329-3.1,n/a,20170329-3.1,20170329-3.1,n/a,n/a,n/a
 pysqlite,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,"n/a, upstream sqlite3 is used","n/a, upstream sqlite3 is used"
 pip,20.3.4¹⁴,9.0.3¹⁴,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,9.0.3¹⁴,20.3.4chevah1,20.3.4¹⁴,20.3.4chevah1,9.0.3¹⁴,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4¹⁴,9.0.3¹⁴,20.3.4¹⁴,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4¹⁴,20.3.4chevah1
 setuptools,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,41.6.0¹⁷,41.6.0¹⁷,41.6.0¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷,44.1.1¹⁷
 pycparser,2.20,2.20,2.21,2.21,2.21,2.21,2.20,2.21,2.20,2.21,2.20,2.21,2.21,2.21,2.21,2.20,2.20,2.20,2.21,2.21,2.21,2.21,2.21,2.20,2.21
 setproctitle,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10,1.1.10
-cryptography,3.2.1¹²,2.9.2¹²,3.2.1¹⁶,3.3.2¹⁶,3.3.2¹⁶,3.3.2¹⁶,2.9.2¹²,3.3.2¹⁶,n/a,3.3.2¹⁶,2.9.2¹² (wheel includes OpenSSL),3.3.2¹⁶,3.3.2¹⁶,3.3.2¹⁶,3.3.2¹⁶,n/a,n/a,n/a,3.2.1¹²,3.3.2¹⁶,3.3.2¹⁶,3.3.2¹⁶,3.3.2¹⁶,2.9.2¹² (wheel includes OpenSSL),3.3.2¹⁶
+cryptography,3.2.1¹²,2.9.2¹²,3.2.1+patches,3.3.2+patches¹⁶,3.3.2+patches¹⁶,3.3.2+patches¹⁶,2.9.2¹²,3.3.2+patches¹⁶,n/a,3.3.2+patches¹⁶,2.9.2¹² (wheel includes OpenSSL),3.3.2+patches¹⁶,3.3.2+patches¹⁶,3.3.2+patches¹⁶,3.3.2+patches¹⁶,n/a,n/a,n/a,3.2.1¹²,3.3.2+patches¹⁶,3.3.2+patches¹⁶,3.3.2+patches¹⁶,3.3.2+patches¹⁶,2.9.2¹² (wheel includes OpenSSL),3.3.2+patches¹⁶
 six,1.15.0,1.13.0,1.15.0,1.15.0,1.15.0,1.15.0,1.11.0,1.15.0,1.15.0,1.15.0,1.11.0,1.15.0,1.15.0,1.15.0,1.15.0,1.15.0,1.11.0,1.15.0,1.15.0,1.11.0,1.11.0,1.11.0,1.11.0,1.11.0,1.11.0
 ipaddress,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,n/a,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,n/a,n/a,n/a,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23,1.0.23
 cffi,1.14.5,1.14.0,1.15.1,1.15.1,1.15.1,1.15.1,1.14.0,1.15.1,n/a,1.15.1,1.14.0,1.15.1,1.15.1,1.15.1,1.15.1,n/a,1.14.0,1.14.5,1.15.1,1.15.1,1.15.1,1.15.1,1.15.1,1.14.0,1.15.1
@@ -38,10 +38,10 @@ enum34,1.1.10,1.1.6,1.1.10,1.1.10,1.1.10,1.1.10,1.1.6,1.1.10,n/a,1.1.10,1.1.6,1.
 idna,n/a,2.6,n/a,n/a,n/a,n/a,2.6,n/a,n/a,n/a,2.6,n/a,n/a,n/a,n/a,n/a,2.6,n/a,n/a,n/a,n/a,n/a,n/a,2.6,n/a
 pyOpenSSL,19.1.0,19.1.0,19.1.0,21.0.0,21.0.0,21.0.0,19.1.0,21.0.0,0.13.1⁷,21.0.0,19.1.0,21.0.0,21.0.0,21.0.0,21.0.0,0.13.1⁷,0.13.1⁷,0.13.1⁷,19.1.0,21.0.0,21.0.0,21.0.0,21.0.0,19.1.0,21.0.0
 scandir,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0
-psutil,n/a,5.6.5,5.9.5,5.9.5,5.9.5,5.9.5,n/a,5.9.2,n/a,5.9.5,5.6.5,5.9.5,5.9.5,5.9.5,5.9.5,n/a,n/a,n/a,5.9.2,5.9.5,5.9.5,5.9.5,5.9.5,n/a,5.9.5
+psutil,n/a,5.6.5,6.0.0,5.9.6,6.0.0,5.9.6,n/a,5.9.2,n/a,6.0.0,5.6.5,5.9.6,6.0.0,5.9.6,5.9.6,n/a,n/a,n/a,6.0.0,5.9.6,6.0.0,6.0.0,5.9.6,n/a,6.0.0
 subprocess32,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4
 bcrypt,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,n/a,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7
-pywin32,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,,n/a,227,228
+pywin32,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,227,228
 ,,,,,,,,,,,,,,,,,,,,,,,,,
 Abbreviations:,n/a: not applicable,,,,,,,,,,Notes:,"0. Dependencies above are listed as per the current build process, not necessarily for the latest released versions of python-package.",,,,,,,,,,,,,
 ,p/o: provided with OS,,,,,,,,,,,"1. Tier 1 platforms, fully supported and tested",,,,,,,,,,,,,
@@ -56,8 +56,8 @@ Colour codes:,DARKGREY: Tier 2 platforms and their problematic dependencies,,,,,
 ,,,,,,,,,,,,10. https://www.openssl.org/news/openssl-1.1.1-notes.html,,,,,,,,,,,,,
 ,,,,,,,,,,,,11. https://github.com/ActiveState/cpython/tags,,,,,,,,,,,,,
 ,,,,,,,,,,,,12. https://cryptography.io/en/latest/changelog.html,,,,,,,,,,,,,
-,,,,,,,,,,,,"13. On Windows, the upstream Python 2.7.18 packages are hot patched for all known issues except CVE-2021-3177 and CVE-2020-10735",,,,,,,,,,,,,
+,,,,,,,,,,,,"13. On Windows, the upstream Python 2.7.18 packages are not patched for CVE-2020-10735, CVE-2021-3177, CVE-2022-48560, CVE-2022-48566, CVE-2023-40217, CVE-2024-0397.",,,,,,,,,,,,,
 ,,,,,,,,,,,,14. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3572,,,,,,,,,,,,,
 ,,,,,,,,,,,,15. Corresponds to upstream OpenSSL version 1.0.2zg from 07 Feb 2023.,,,,,,,,,,,,,
-,,,,,,,,,,,,"16. Both cryptography 3.2.1 and version 3.3.2 have been patched for CVE-2023-23931, but not for CVE-2023-38325.",,,,,,,,,,,,,
-,,,,,,,,,,,,17. Versions older than 65.5.1 are vulnerable to CVE-2022-40897.,,,,,,,,,,,,,
+,,,,,,,,,,,,"16. Both cryptography 3.2.1 and version 3.3.2+patches have been patched for CVE-2023-23931 and CVE-2023-49083, but not for CVE-2023-38325. Other issues might be present.",,,,,,,,,,,,,
+,,,,,,,,,,,,"17. Vulnerable to CVE-2022-40897, CVE-2024-6345.",,,,,,,,,,,,,