Skip to content

Bump cryptography minimum version to 46.0.7#534

Open
werk24 wants to merge 1 commit into
mainfrom
claude/exciting-ptolemy-G4WUQ
Open

Bump cryptography minimum version to 46.0.7#534
werk24 wants to merge 1 commit into
mainfrom
claude/exciting-ptolemy-G4WUQ

Conversation

@werk24
Copy link
Copy Markdown
Contributor

@werk24 werk24 commented May 28, 2026

Summary

Updates the minimum required version of the cryptography dependency from 46.0.5 to 46.0.7 to include an additional security fix for buffer overflow vulnerabilities with non-contiguous buffers.

Changes

  • Updated pyproject.toml to require cryptography>=46.0.7
  • Updated requirements.txt to pin cryptography==46.0.7
  • Enhanced dependency documentation to clarify that version 46.0.7 includes:
    • Fix for buffer overflow with non-contiguous buffers (GHSA)
    • CVE-2026-26007 (elliptic curve subgroup validation)
    • CVE-2024-26130 (NULL pointer dereference with pkcs12)

Details

This change ensures users have access to the latest security patches in the cryptography library. The version constraint maintains the existing policy of no upper bound to follow SemVer and prevent dependency conflicts.

https://claude.ai/code/session_01217vzNmVWH7Ddt8jg7iHtc

@claude
fix: bump cryptography to 46.0.7 to address buffer overflow advisory
a15f19f 
Addresses Dependabot alert #23: cryptography < 46.0.7 could read past
the end of a buffer when a non-contiguous buffer was passed to APIs
accepting Python buffers (e.g. Hash.update()).

https://claude.ai/code/session_01217vzNmVWH7Ddt8jg7iHtc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@werk24 @claude