Skip to content

Bump openexr from 3.2.6 to 3.2.7#37

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/openexr-3.2.7
Open

Bump openexr from 3.2.6 to 3.2.7#37
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/openexr-3.2.7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 8, 2026

Bumps openexr from 3.2.6 to 3.2.7.

Release notes

Sourced from openexr's releases.

v3.2.7

Patch release for v3.2 that addresses the following security vulnerabilities:

  • CVE-2026-34589 DWA Lossy Decoder Heap Out-of-Bounds Write
  • CVE-2026-34588 Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
  • CVE-2026-34544 integer overflow to OOB write in uncompress_b44_impl()
  • CVE-2026-34543 Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
  • CVE-2026-34380 Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
  • CVE-2026-34379 Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)
Changelog

Sourced from openexr's changelog.

Version 3.2.7 (April 3, 2026)

Patch release for v3.2 that addresses the following security vulnerabilities:

  • CVE-2026-34589 DWA Lossy Decoder Heap Out-of-Bounds Write
  • CVE-2026-34588 Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
  • CVE-2026-34544 integer overflow to OOB write in uncompress_b44_impl()
  • CVE-2026-34543 Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
  • CVE-2026-34380 Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
  • CVE-2026-34379 Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)

Merged Pull Requests

  • 2329 Fix signed integer overflow in LossyDctDecoder_execute() pointer arithmatic
  • 2328 fix integer overflow in PIZ wavelet buffer arithmetic
  • 2324 Fix misaligned memory access in LossyDctDecoder_execute HALF→FLOAT expansion
  • 2323 fix signed integer overflow in undo_pxr24_impl()
  • 2312 Fix B44/B44A integer overflow: use uint64_t for row offset
  • 2310 PXR24: reject zlib output that does not match packed payload size
Commits
  • f6f9cee update notes for v3.2.7 with recent cves
  • 76af7d7 Fix misaligned memory access in LossyDctDecoder_execute HALF→FLOAT expansio...
  • a5e5a2e Security: fix signed integer overflow in undo_pxr24_impl() (PXR24 decoder) ...
  • 881b546 PXR24: reject zlib output that does not match packed payload size (#2310)
  • f379b5c Fix B44/B44A integer overflow: use uint64_t for row offset (#2312)
  • fef779d Notes for v3.2.7
  • 118ac9e Bump version for v3.2.7
  • a76a8e0 Fix signed integer overflow in LossyDctDecoder_execute() pointer arithmetic...
  • ca01392 fix integer overflow in PIZ wavelet buffer arithmetic (#2328)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump openexr from 3.2.6 to 3.2.7
2dea004 
Bumps [openexr](https://github.com/AcademySoftwareFoundation/OpenEXR) from 3.2.6 to 3.2.7.
- [Release notes](https://github.com/AcademySoftwareFoundation/OpenEXR/releases)
- [Changelog](https://github.com/AcademySoftwareFoundation/openexr/blob/main/CHANGES.md)
- [Commits](AcademySoftwareFoundation/openexr@v3.2.6...v3.2.7)

---
updated-dependencies:
- dependency-name: openexr
  dependency-version: 3.2.7
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Apr 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants