chore(deps): update dependency cryptography to v46 [security]#1215
chore(deps): update dependency cryptography to v46 [security]#1215renovatebotcpg[bot] wants to merge 1 commit into
Conversation
PR Checklist ✅Have you checked the following?
Check all boxes before merging. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## dev #1215 +/- ##
=======================================
Coverage 83.21% 83.21%
=======================================
Files 216 216
Lines 18949 18949
=======================================
Hits 15768 15768
Misses 3181 3181 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
violetbrina
left a comment
There was a problem hiding this comment.
I don't think this issue relates to us but it's worth keeping an eye on since we've also moved to Python 3.14.
Currently passing our unittests so I think it's fine but probably should wait to merge until after the postgres-migration containing the 3.14 change.
@dancoates since you're often working on metamist I'm assuming you'd like eyes on the chore PRs as well? Or are you ok with anyone from ST merging in upgrading dependency PRs?
295cc1d to
df6d061
Compare
222ec60 to
c91e152
Compare
c91e152 to
be237d0
Compare
be237d0 to
f120868
Compare
fa4aa64 to
01ca384
Compare
2862f85 to
fde7a4a
Compare
fde7a4a to
12426e8
Compare
6f3e43c to
f1005e9
Compare
f1005e9 to
8b99953
Compare
8b99953 to
79cad62
Compare
This PR contains the following updates:
44.0.1→46.0.5cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves
CVE-2026-26007 / GHSA-r6ph-v2qm-q3c2
More information
Details
Vulnerability Summary
The
public_key_from_numbers(orEllipticCurvePublicNumbers.public_key()),EllipticCurvePublicNumbers.public_key(),load_der_public_key()andload_pem_public_key()functions do not verify that the point belongs to the expected prime-order subgroup of the curve.This missing validation allows an attacker to provide a public key point
Pfrom a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret asS = [victim_private_key]Pvia ECDH, this leaks information aboutvictim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup.Only SECT curves are impacted by this.
Credit
This vulnerability was discovered by:
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
pyca/cryptography (cryptography)
v46.0.5Compare Source
v46.0.4Compare Source
v46.0.3Compare Source
v46.0.2Compare Source
v46.0.1Compare Source
v46.0.0Compare Source
v45.0.7Compare Source
v45.0.6Compare Source
v45.0.5Compare Source
v45.0.4Compare Source
v45.0.3Compare Source
v45.0.2Compare Source
v45.0.1Compare Source
v45.0.0Compare Source
v44.0.3Compare Source
v44.0.2Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.