# Accepted vulnerabilities — reviewed, justified, and tracked. # Format: one CVE/GHSA ID per line. Re-evaluate each at the review date below. # # --------------------------------------------------------------------------- # cryptography is pinned to 43.0.3 because sshkey-tools 0.11.3 (SSH CA cert # signing) requires cryptography <44. The two findings below are only fixed in # cryptography >=44/48, which we cannot adopt until sshkey-tools relaxes its pin. # # Reviewed: 2026-06-23 | Next review: 2026-09-23 # Action to remove: bump sshkey-tools to a release allowing cryptography>=48, # then set cryptography>=48.0.1 and delete these lines. # --------------------------------------------------------------------------- # SECT (binary-field) curve subgroup attack. Not reachable: Gatehouse uses only # RSA / NIST P-256 / Ed25519 (JWT, x509, SSH CA). No SECT curves anywhere. CVE-2026-26007 # Vulnerable OpenSSL statically bundled in the cryptography manylinux wheel. # Blocked by the same sshkey-tools <44 cap. Tracked for removal at next review. GHSA-537c-gmf6-5ccf # --------------------------------------------------------------------------- # Unfixable base-image OS packages (Debian slim). All are status "affected" or # "fix_deferred" with NO fixed version available upstream — apt cannot patch # them. They are deep base packages we cannot remove without breaking the image # (perl/dpkg tooling, ncurses for terminal libs, sqlite via Python stdlib). # None are reachable from the app's input paths (no Archive::Tar on untrusted # input, no curl, sqlite3 stdlib unused with untrusted DB files). # # Reviewed: 2026-06-23 | Next review: 2026-09-23 # Strategic fix: migrate to a distroless / Chainguard Python base, which drops # perl, ncurses tooling and sqlite entirely. Revisit then. # --------------------------------------------------------------------------- # perl-base (Archive::Tar / IO-Compress) — no fix available CVE-2026-42496 CVE-2026-42497 CVE-2026-48962 CVE-2026-9538 CVE-2026-8376 # ncurses (libtinfo6 / libncursesw6 / ncurses-base / ncurses-bin) — no fix CVE-2025-69720 # libsqlite3-0 — no fix CVE-2026-11822 CVE-2026-11824