Bump cryptography to >=48.0 to fix CVE-2026-34180#59
Open
roeezis wants to merge 3 commits into
Open
Conversation
cryptography ~=46.0.5 caps the transitive dependency below 47, blocking downstream consumers from resolving cryptography>=48.0.1 (CVE-2026-34180, SNYK-PYTHON-CRYPTOGRAPHY-17344551, OOB read). cryptography is not imported directly by conjur_api; widening the constraint has no API impact. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
cryptography is transitive and not imported directly; an upper bound only risks re-blocking consumers (e.g. cryptography 49.x is already released). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
@roeezis thank you for the proposal, our process requires those changes to be merged first into our internal repositories and than publish to public github, we're working on that right now, unfortunately there are other factors affecting our ability to publish and we're also looking into them, I'll keep you posted on the progress |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bump the
cryptographyconstraint from~=46.0.5to~=48.0insetup.cfgandrequirements.txt.Why
cryptography~=46.0.5caps the dependency at>=46.0.5,<47, which blocks downstream consumers from resolvingcryptography>=48.0.1— the fix for CVE-2026-34180 (SNYK-PYTHON-CRYPTOGRAPHY-17344551, out-of-bounds read in the ASN.1 decoder). Any project depending onconjur-apiinherits the vulnerable ceiling and cannot remediate.cryptographyis a transitive dependency here — it is not imported directly anywhere inconjur_api— so widening the constraint has no API-surface impact.Testing
cryptography~=48.0resolves cleanly (48.0.1) alongside the other pinned deps (keyring, aiohttp, pyopenssl, urllib3).cryptography 46.0.7(baseline) and48.0.1: identical results — the same pre-existing platform/network-dependent failures (OS trust-store string, live badssl.com endpoints) appear in both; the crypto bump introduces zero new failures.Changelog
Added a
### Securityentry under[Unreleased].🤖 Generated with Claude Code