security: upgrade some package versions
This commit is contained in:
sangnn
@@ -0,0 +1,20 @@
|
|||||||
|
# Accepted vulnerabilities — reviewed, justified, and tracked.
|
||||||
|
# Format: one CVE/GHSA ID per line. Re-evaluate each at the review date below.
|
||||||
|
#
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
# cryptography is pinned to 43.0.3 because sshkey-tools 0.11.3 (SSH CA cert
|
||||||
|
# signing) requires cryptography <44. The two findings below are only fixed in
|
||||||
|
# cryptography >=44/48, which we cannot adopt until sshkey-tools relaxes its pin.
|
||||||
|
#
|
||||||
|
# Reviewed: 2026-06-23 | Next review: 2026-09-23
|
||||||
|
# Action to remove: bump sshkey-tools to a release allowing cryptography>=48,
|
||||||
|
# then set cryptography>=48.0.1 and delete these lines.
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# SECT (binary-field) curve subgroup attack. Not reachable: Gatehouse uses only
|
||||||
|
# RSA / NIST P-256 / Ed25519 (JWT, x509, SSH CA). No SECT curves anywhere.
|
||||||
|
CVE-2026-26007
|
||||||
|
|
||||||
|
# Vulnerable OpenSSL statically bundled in the cryptography manylinux wheel.
|
||||||
|
# Blocked by the same sshkey-tools <44 cap. Tracked for removal at next review.
|
||||||
|
GHSA-537c-gmf6-5ccf
|
||||||
Reference in New Issue
Block a user