From a15f19f0d913644037816ee8fdf8cab93fdfeed2 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 28 May 2026 07:48:46 +0000 Subject: [PATCH] fix: bump cryptography to 46.0.7 to address buffer overflow advisory Addresses Dependabot alert #23: cryptography < 46.0.7 could read past the end of a buffer when a non-contiguous buffer was passed to APIs accepting Python buffers (e.g. Hash.update()). https://claude.ai/code/session_01217vzNmVWH7Ddt8jg7iHtc --- pyproject.toml | 6 +++--- requirements.txt | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 79f2d06..ba9af80 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -44,10 +44,10 @@ dependencies = [ # No upper bound - certificate bundle updates are backward compatible "certifi>=2024.12.14", - # cryptography: Minimum 46.0.5 includes fix for CVE-2026-26007 (elliptic curve subgroup validation) - # and earlier fixes for CVE-2024-26130 (NULL pointer dereference with pkcs12) + # cryptography: Minimum 46.0.7 includes fix for buffer overflow with non-contiguous buffers (GHSA), + # plus CVE-2026-26007 (elliptic curve subgroup validation) and CVE-2024-26130 (NULL pointer dereference with pkcs12) # No upper bound - follows SemVer, removing restrictive constraint to prevent dependency conflicts - "cryptography>=46.0.5", + "cryptography>=46.0.7", # packaging: Minimum 24.2 provides required version parsing functionality # No upper bound - stable API, backward compatible diff --git a/requirements.txt b/requirements.txt index 123cb3f..29fa118 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,7 +6,7 @@ aiohttp==3.13.4 certifi==2026.2.25 -cryptography==46.0.6 +cryptography==46.0.7 packaging==26.0 pint==0.25.3; python_version > "3.10" pint==0.24.4; python_version <= "3.10"