Update dependency cryptography to v46 [SECURITY]#34

Open

renovate[bot] wants to merge 1 commit intomainfrom

renovate/pypi-cryptography-vulnerability

Contributor

renovate bot commented Feb 11, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
cryptography (changelog)	`==43.0.1` → `==46.0.6`

GitHub Vulnerability Alerts

CVE-2026-34073

Summary

In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.

This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.

See CVE-2025-61727 for a similar bypass in Go's crypto/x509.

Remediation

Users should upgrade to 46.0.6 or newer.

Attribution

Reporter: @1seal

Release Notes

pyca/cryptography (cryptography)

`v46.0.6`

`v46.0.5`

`v46.0.4`

`v46.0.3`

`v46.0.2`

`v46.0.1`

`v46.0.0`

`v45.0.7`

`v45.0.6`

`v45.0.5`

`v45.0.4`

`v45.0.3`

`v45.0.2`

`v45.0.1`

`v45.0.0`

`v44.0.3`

`v44.0.2`

`v44.0.1`

`v44.0.0`

`v43.0.3`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot assigned tjbenator

renovate bot changed the title ~~Update dependency cryptography to v44 [SECURITY]~~ Update dependency cryptography to v44 [SECURITY] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/pypi-cryptography-vulnerability branch

March 13, 2025 01:35

renovate bot changed the title ~~Update dependency cryptography to v44 [SECURITY] - autoclosed~~ Update dependency cryptography to v44 [SECURITY]

renovate bot reopened this

renovate bot force-pushed the renovate/pypi-cryptography-vulnerability branch from dfb0629 to f6cc2a5 Compare

March 17, 2025 18:36

renovate bot force-pushed the renovate/pypi-cryptography-vulnerability branch from f6cc2a5 to 66a21e0 Compare

February 11, 2026 05:48

renovate bot changed the title ~~Update dependency cryptography to v44 [SECURITY]~~ Update dependency cryptography to v46 [SECURITY]

renovate bot changed the title ~~Update dependency cryptography to v46 [SECURITY]~~ Update dependency cryptography to v46 [SECURITY] - autoclosed

renovate bot closed this


          Update dependency cryptography to v46 [SECURITY]

d9cc0c1

renovate bot changed the title ~~Update dependency cryptography to v46 [SECURITY] - autoclosed~~ Update dependency cryptography to v46 [SECURITY]

renovate bot reopened this

renovate bot force-pushed the renovate/pypi-cryptography-vulnerability branch 2 times, most recently from 66a21e0 to d9cc0c1 Compare

March 28, 2026 20:40

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet