Skip to content

chore(deps): update dependency cryptography to v46.0.7 [security] - autoclosed#771

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-cryptography-vulnerability
Closed

chore(deps): update dependency cryptography to v46.0.7 [security] - autoclosed#771
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-cryptography-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 27, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
cryptography (changelog) ==46.0.5==46.0.7 age confidence

GitHub Vulnerability Alerts

CVE-2026-34073

Summary

In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.

This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.

See CVE-2025-61727 for a similar bypass in Go's crypto/x509.

Remediation

Users should upgrade to 46.0.6 or newer.

Attribution

Reporter: @​1seal

Severity
  • CVSS Score: 1.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

CVE-2026-39892

If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. For example:

h = Hash(SHA256())
b.update(buf[::-1])

would read past the end of the buffer on Python >3.11

Severity
  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Release Notes

pyca/cryptography (cryptography)

v46.0.7

Compare Source

v46.0.6

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) March 27, 2026 23:03
@renovate renovate Bot changed the title chore(deps): update dependency cryptography to v46.0.6 [security] chore(deps): update dependency cryptography to v46.0.6 [security] - autoclosed Mar 31, 2026
@renovate renovate Bot closed this Mar 31, 2026
auto-merge was automatically disabled March 31, 2026 12:07

Pull request was closed

@renovate renovate Bot deleted the renovate/pypi-cryptography-vulnerability branch March 31, 2026 12:07
@renovate renovate Bot changed the title chore(deps): update dependency cryptography to v46.0.6 [security] - autoclosed chore(deps): update dependency cryptography to v46.0.6 [security] Apr 1, 2026
@renovate renovate Bot reopened this Apr 1, 2026
@renovate renovate Bot force-pushed the renovate/pypi-cryptography-vulnerability branch 2 times, most recently from 989c3df to 4149747 Compare April 1, 2026 09:31
@renovate renovate Bot changed the title chore(deps): update dependency cryptography to v46.0.6 [security] chore(deps): update dependency cryptography to v46.0.6 [security] - autoclosed Apr 16, 2026
@renovate renovate Bot closed this Apr 16, 2026
@renovate renovate Bot changed the title chore(deps): update dependency cryptography to v46.0.6 [security] - autoclosed chore(deps): update dependency cryptography to v46.0.7 [security] Apr 16, 2026
@renovate renovate Bot reopened this Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/pypi-cryptography-vulnerability branch 2 times, most recently from 4149747 to 0353c21 Compare April 16, 2026 08:12
@renovate renovate Bot changed the title chore(deps): update dependency cryptography to v46.0.7 [security] chore(deps): update dependency cryptography to v46.0.7 [security] - autoclosed Apr 22, 2026
@renovate renovate Bot closed this Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

@cbartz cbartz Awaiting requested review from cbartz cbartz is a code owner

@yhaliaw yhaliaw Awaiting requested review from yhaliaw yhaliaw is a code owner

@javierdelapuente javierdelapuente Awaiting requested review from javierdelapuente javierdelapuente is a code owner

@yanksyoon yanksyoon Awaiting requested review from yanksyoon yanksyoon is a code owner

@florentianayuwono florentianayuwono Awaiting requested review from florentianayuwono florentianayuwono is a code owner

@weiiwang01 weiiwang01 Awaiting requested review from weiiwang01 weiiwang01 is a code owner

Assignees

No one assigned

Labels

Libraries: OK

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants