Skip to content

chore(deps): update dependency cryptography to v46.0.6 [security]#116

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-cryptography-vulnerability
Open

chore(deps): update dependency cryptography to v46.0.6 [security]#116
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-cryptography-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 29, 2026

This PR contains the following updates:

Package Change Age Confidence
cryptography (changelog) ==46.0.5==46.0.6 age confidence

GitHub Vulnerability Alerts

CVE-2026-34073

Summary

In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.

This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.

See CVE-2025-61727 for a similar bypass in Go's crypto/x509.

Remediation

Users should upgrade to 46.0.6 or newer.

Attribution

Reporter: @​1seal

Release Notes

pyca/cryptography (cryptography)

v46.0.6

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner March 29, 2026 04:17
@renovate renovate bot enabled auto-merge (squash) March 29, 2026 04:17
@renovate renovate bot requested review from arturo-seijas and nrobinaubertin and removed request for a team March 29, 2026 04:17
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 29, 2026

Test results for commit c0999a0

Test coverage for c0999a0

Name            Stmts   Miss Branch BrPart  Cover   Missing
-----------------------------------------------------------
src/charm.py       47      0      6      0   100%
src/errors.py       1      0      0      0   100%
src/state.py      139      0     32      0   100%
-----------------------------------------------------------
TOTAL             187      0     38      0   100%

Static code analysis report

Run started:2026-03-29 04:23:40.384383+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 986
  Total lines skipped (#nosec): 0
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 29, 2026

Test results for commit c0999a0

Test coverage for c0999a0

Name                   Stmts   Miss Branch BrPart  Cover   Missing
------------------------------------------------------------------
src/certificates.py       21      2      6      2    85%   65-68
src/charm.py             106     12      8      0    89%   64-65, 120, 149, 153-156, 211-213, 223-225
src/errors.py             16      0      0      0   100%
src/nginx_manager.py     199     36     16      4    81%   207, 213-219, 224-226, 229, 277-279, 295-297, 337-342, 417-419, 438-442, 461->463, 543-548
src/state.py             163     13     34      1    92%   154-159, 429-439
src/utilities.py          13      0      0      0   100%
------------------------------------------------------------------
TOTAL                    518     63     64      7    88%

Static code analysis report

Run started:2026-03-29 04:27:12.600389+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 1208
  Total lines skipped (#nosec): 0
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 2

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

@nrobinaubertin nrobinaubertin Awaiting requested review from nrobinaubertin nrobinaubertin is a code owner automatically assigned from canonical/platform-engineering

@arturo-seijas arturo-seijas Awaiting requested review from arturo-seijas arturo-seijas is a code owner automatically assigned from canonical/platform-engineering

Assignees

No one assigned

Labels

Libraries: OK

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants