security: upgrade some package versions
This commit is contained in:
sangnn
@@ -0,0 +1,20 @@
|
||||
# Accepted vulnerabilities — reviewed, justified, and tracked.
|
||||
# Format: one CVE/GHSA ID per line. Re-evaluate each at the review date below.
|
||||
#
|
||||
# ---------------------------------------------------------------------------
|
||||
# cryptography is pinned to 43.0.3 because sshkey-tools 0.11.3 (SSH CA cert
|
||||
# signing) requires cryptography <44. The two findings below are only fixed in
|
||||
# cryptography >=44/48, which we cannot adopt until sshkey-tools relaxes its pin.
|
||||
#
|
||||
# Reviewed: 2026-06-23 | Next review: 2026-09-23
|
||||
# Action to remove: bump sshkey-tools to a release allowing cryptography>=48,
|
||||
# then set cryptography>=48.0.1 and delete these lines.
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
# SECT (binary-field) curve subgroup attack. Not reachable: Gatehouse uses only
|
||||
# RSA / NIST P-256 / Ed25519 (JWT, x509, SSH CA). No SECT curves anywhere.
|
||||
CVE-2026-26007
|
||||
|
||||
# Vulnerable OpenSSL statically bundled in the cryptography manylinux wheel.
|
||||
# Blocked by the same sshkey-tools <44 cap. Tracked for removal at next review.
|
||||
GHSA-537c-gmf6-5ccf
|
||||
Reference in New Issue
Block a user