Skip to content

chore(deps): update dependency cryptography to v46.0.7 [security]#116

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/pypi-cryptography-vulnerability
Apr 19, 2026
Merged

chore(deps): update dependency cryptography to v46.0.7 [security]#116
renovate[bot] merged 1 commit intomainfrom
renovate/pypi-cryptography-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 29, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
cryptography (changelog) ==46.0.5==46.0.7 age confidence

GitHub Vulnerability Alerts

CVE-2026-34073

Summary

In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.

This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.

See CVE-2025-61727 for a similar bypass in Go's crypto/x509.

Remediation

Users should upgrade to 46.0.6 or newer.

Attribution

Reporter: @​1seal

Severity
  • CVSS Score: 1.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

CVE-2026-39892

If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. For example:

h = Hash(SHA256())
b.update(buf[::-1])

would read past the end of the buffer on Python >3.11

Severity
  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Release Notes

pyca/cryptography (cryptography)

v46.0.7

Compare Source

v46.0.6

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner March 29, 2026 04:17
@renovate renovate Bot enabled auto-merge (squash) March 29, 2026 04:17
@renovate renovate Bot requested review from arturo-seijas and nrobinaubertin and removed request for a team March 29, 2026 04:17
@renovate renovate Bot force-pushed the renovate/pypi-cryptography-vulnerability branch from c0999a0 to df114a1 Compare April 3, 2026 09:52
@renovate renovate Bot changed the title chore(deps): update dependency cryptography to v46.0.6 [security] chore(deps): update dependency cryptography to v46.0.7 [security] Apr 8, 2026
@renovate renovate Bot force-pushed the renovate/pypi-cryptography-vulnerability branch from df114a1 to eab432f Compare April 8, 2026 21:08
@renovate renovate Bot changed the title chore(deps): update dependency cryptography to v46.0.7 [security] chore(deps): update dependency cryptography to v46.0.7 [security] - autoclosed Apr 10, 2026
@renovate renovate Bot closed this Apr 10, 2026
auto-merge was automatically disabled April 10, 2026 16:08

Pull request was closed

@renovate renovate Bot deleted the renovate/pypi-cryptography-vulnerability branch April 10, 2026 16:08
@renovate renovate Bot changed the title chore(deps): update dependency cryptography to v46.0.7 [security] - autoclosed chore(deps): update dependency cryptography to v46.0.7 [security] Apr 15, 2026
@renovate renovate Bot reopened this Apr 15, 2026
@renovate renovate Bot force-pushed the renovate/pypi-cryptography-vulnerability branch 2 times, most recently from eab432f to b0eaebb Compare April 15, 2026 11:32
@renovate renovate Bot enabled auto-merge (squash) April 19, 2026 12:39
@renovate renovate Bot force-pushed the renovate/pypi-cryptography-vulnerability branch from b0eaebb to 7be2dee Compare April 19, 2026 12:39
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 19, 2026

Test results for commit 7be2dee

Test coverage for 7be2dee

Name            Stmts   Miss Branch BrPart  Cover   Missing
-----------------------------------------------------------
src/charm.py       47      0      6      0   100%
src/errors.py       1      0      0      0   100%
src/state.py      139      0     32      0   100%
-----------------------------------------------------------
TOTAL             187      0     38      0   100%

Static code analysis report

Run started:2026-04-19 12:55:39.434304+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 986
  Total lines skipped (#nosec): 0
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 19, 2026

Test results for commit 7be2dee

Test coverage for 7be2dee

Name                   Stmts   Miss Branch BrPart  Cover   Missing
------------------------------------------------------------------
src/certificates.py       21      2      6      2    85%   65-68
src/charm.py             106     12      8      0    89%   64-65, 120, 149, 153-156, 211-213, 223-225
src/errors.py             16      0      0      0   100%
src/nginx_manager.py     199     36     16      4    81%   207, 213-219, 224-226, 229, 277-279, 295-297, 337-342, 417-419, 438-442, 461->463, 543-548
src/state.py             163     13     34      1    92%   154-159, 429-439
src/utilities.py          13      0      0      0   100%
------------------------------------------------------------------
TOTAL                    518     63     64      7    88%

Static code analysis report

Run started:2026-04-19 12:59:12.732824+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 1208
  Total lines skipped (#nosec): 0
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 2

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

@renovate renovate Bot force-pushed the renovate/pypi-cryptography-vulnerability branch from 7be2dee to 27a9d6e Compare April 19, 2026 13:43
@renovate renovate Bot merged commit 8f3a599 into main Apr 19, 2026
35 of 36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

@nrobinaubertin nrobinaubertin Awaiting requested review from nrobinaubertin nrobinaubertin is a code owner automatically assigned from canonical/platform-engineering

@arturo-seijas arturo-seijas Awaiting requested review from arturo-seijas arturo-seijas is a code owner automatically assigned from canonical/platform-engineering

Assignees

No one assigned

Labels

Libraries: OK

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants