Skip to content

ROB-545 Bump cryptography 46.0.5 -> 46.0.7 (fix CVE-2026-39892)#24

Merged
Avi-Robusta merged 1 commit into
mainfrom
avi/rob-545-cve-2026-39892-bump-cryptography-4607
Jul 2, 2026
Merged

ROB-545 Bump cryptography 46.0.5 -> 46.0.7 (fix CVE-2026-39892)#24
Avi-Robusta merged 1 commit into
mainfrom
avi/rob-545-cve-2026-39892-bump-cryptography-4607

Conversation

@Avi-Robusta

Copy link
Copy Markdown
Contributor

What

Bump cryptography 46.0.546.0.7 in pyproject.toml and regenerate poetry.lock (only the cryptography entry + content-hash change).

Why

Vanta CVE scan (2026-07-01) flagged CVE-2026-39892 (GHSA-p423-j2cm-9vmq / PYSEC-2026-36) — MEDIUM — in the robusta-dev/robusta-cli image, SLA due 2026-07-08.

  • Buffer overflow when non-contiguous buffers are passed to cryptography APIs.
  • Affected range >= 45.0.0, < 46.0.7; the pin was 46.0.5.
  • Fixed in cryptography 46.0.7 (confirmed via OSV).

Verification

Poetry re-resolved cleanly to 46.0.7 (no other package versions changed). Post-merge, CI rebuilds the image and Vanta re-scans the patched SHA.

Linear: ROB-545

🤖 Generated with Claude Code

CVE-2026-39892 (GHSA-p423-j2cm-9vmq / PYSEC-2026-36, MEDIUM): buffer
overflow when non-contiguous buffers are passed to cryptography APIs.
Affected >=45.0.0,<46.0.7; robusta-cli pinned 46.0.5. Fixed in 46.0.7.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Avi-Robusta Avi-Robusta merged commit a64d775 into main Jul 2, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants