openssl_encrypt 1.4.5 — 2026-06-12
Security dependency update. No code or on-disk format changes — every file
encrypted with earlier versions remains decryptable.
Security
Updated pinned dependencies to versions fixing published CVEs (all verified
clean against the OSV database):
| Package | Version | Fixes |
|---|---|---|
| urllib3 | 2.6.3 → 2.7.0 | CVE-2026-44431 (sensitive headers forwarded across origins in proxied low-level redirects), CVE-2026-44432 (decompression-bomb safeguard bypass in the streaming API) |
| cryptography | 46.0.6 → 46.0.7 | CVE-2026-39892 (buffer overflow with non-contiguous Python buffers in APIs such as Hash.update()) |
| pillow | 12.1.1 → 12.2.0 | Integer-overflow bypass of the PSD tile-extent bounds checks (out-of-bounds write, follow-up to CVE-2026-25990) |
| idna | 3.11 → 3.15 | Incomplete-fix follow-up to CVE-2024-3651 (DoS via crafted inputs) |
Development-only dependencies (not part of the shipped package): authlib 1.6.12
(CVE-2026-41425, CVE-2026-41479, CVE-2026-44681), pygments 2.20.0
(CVE-2026-4539), pytest 9.0.3 (CVE-2025-71176).
Internal
- New
flatpak-pin-checkCI job and consistency test: the flatpak manifest's
hard-coded pip pins are verified againstrequirements-prod.txton every
push, including feature branches. The check immediately caught and fixed a
stalerequestspin in the manifest. - Flatpak manifest dependency pins aligned with the package requirements.
- README refreshed for the 1.4.x line (HSM token binding, cascade encryption,
Threefish, and streaming encryption now listed in the security features
overview; obsolete v1.4.0-beta sections removed).
Upgrade
pip install --upgrade openssl_encrypt
Full details: CHANGELOG.md