The family of functions to read "borrowed" values from Python weak references were fundamentally unsound, because the weak reference does itself not have ownership of the value. At any point the last strong reference could be cleared and the borrowed value would become dangling. In PyO3 0.22.4 these functions have all been deprecated and patched to leak a strong reference as a mitigation. PyO3 0.23 will remove these functions entirely.
The patch in the latest version is huge: https://github.com/PyO3/pyo3/pull/4590/files
The weakref python types were added in https://github.com/PyO3/pyo3/pull/3835, that is version 0.22.0. We ship 0.15.2 in the bundled crates of cryptography. The only file that we ship which has some change through the fix is here: https://github.com/PyO3/pyo3/commit/26abde5f858286b78c755da3b2627e4d13b4b234#diff-f7a0cd3c685f42419e34ce7c1be728ffc394d644b49715ae7112a2d6f45849f6 Also this fix is related to free-threaded python. This requires more investigation but from my initial finding we should not be affected.
You are right. The python-cryptography in RHEL 8 and 9 and also the versions in the alternative stacks Python 3.11 and 3.12 are too old to include the vulnerable code. The only exception is RHEL 10 where we have version 43.0.0 and that bundles pyo3 version 0.22.0: https://github.com/pyca/cryptography/commit/47aced28c8f27b4dbb61f4fc79af444a18279463 The freethreading implementation for pyo3 hasn't been finished yet: https://github.com/pyca/cryptography/commit/47aced28c8f27b4dbb61f4fc79af444a18279463