Skip to content

Bump cryptography to >=48.0 to fix CVE-2026-34180#59

Open
roeezis wants to merge 3 commits into
cyberark:mainfrom
roeezis:fix/bump-cryptography-48
Open

Bump cryptography to >=48.0 to fix CVE-2026-34180#59
roeezis wants to merge 3 commits into
cyberark:mainfrom
roeezis:fix/bump-cryptography-48

Conversation

@roeezis

@roeezis roeezis commented Jul 1, 2026

Copy link
Copy Markdown

What

Bump the cryptography constraint from ~=46.0.5 to ~=48.0 in setup.cfg and requirements.txt.

Why

cryptography~=46.0.5 caps the dependency at >=46.0.5,<47, which blocks downstream consumers from resolving cryptography>=48.0.1 — the fix for CVE-2026-34180 (SNYK-PYTHON-CRYPTOGRAPHY-17344551, out-of-bounds read in the ASN.1 decoder). Any project depending on conjur-api inherits the vulnerable ceiling and cannot remediate.

cryptography is a transitive dependency here — it is not imported directly anywhere in conjur_api — so widening the constraint has no API-surface impact.

Testing

  • cryptography~=48.0 resolves cleanly (48.0.1) alongside the other pinned deps (keyring, aiohttp, pyopenssl, urllib3).
  • Ran the unit suite on both cryptography 46.0.7 (baseline) and 48.0.1: identical results — the same pre-existing platform/network-dependent failures (OS trust-store string, live badssl.com endpoints) appear in both; the crypto bump introduces zero new failures.

Changelog

Added a ### Security entry under [Unreleased].

🤖 Generated with Claude Code

roeezisholz and others added 3 commits July 1, 2026 12:36
cryptography ~=46.0.5 caps the transitive dependency below 47, blocking
downstream consumers from resolving cryptography>=48.0.1 (CVE-2026-34180,
SNYK-PYTHON-CRYPTOGRAPHY-17344551, OOB read). cryptography is not imported
directly by conjur_api; widening the constraint has no API impact.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
cryptography is transitive and not imported directly; an upper bound only
risks re-blocking consumers (e.g. cryptography 49.x is already released).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@roeezis roeezis changed the title Bump cryptography to ~=48.0 to fix CVE-2026-34180 Bump cryptography to >=48.0 to fix CVE-2026-34180 Jul 1, 2026
@tarnowsc

tarnowsc commented Jul 2, 2026

Copy link
Copy Markdown

@roeezis thank you for the proposal, our process requires those changes to be merged first into our internal repositories and than publish to public github, we're working on that right now, unfortunately there are other factors affecting our ability to publish and we're also looking into them, I'll keep you posted on the progress

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants