Vulnerability CVE-2020-36242

[dfl-erik]

Describe the bug
Multiple versions of Ambassador (I've tried both 1.9.0 and 1.11.1) have a vulnerability for the non OS package Cryptography

To Reproduce
Steps to reproduce the behavior:

1. Produce a docker image based on datawire/ambassador:1.9.0 or datawire/ambassador:1.11.1
2. Scan the docker image using a container scanner, we use the Anchore Engine

Expected behavior
No vulnerabilities found

Versions (please complete the following information):

• Ambassador: 1.9.0/1.11.1
• Kubernetes environment: Azure Kubernetes Services
• Version: 1.18.8

Additional context
Version 3.3.2 of the cryptography package fixes the vulnerability, however since cryptography is a non OS package it's not easy to upgrade. I have tried upgrading the package several ways using pip and have been unsuccessful in my attempts.

[kflynn]

Reopening until the fix actually ships.

[kflynn]

This is fixed in Ambassador 1.12 (by, uh, removing the cryptography package entirely).

[kflynn]

(Whoops. Meant to close with that comment above. 🙄 🙂 )