NIXPKGS-2026-0907

GitHub issue published on

Permalink CVE-2026-34073

updated 1 week ago by @LeSuisse Activity log

Created automatic suggestion 1 week ago
@LeSuisse removed package python312Packages.django-cryptography 1 week ago
@LeSuisse removed package python313Packages.django-cryptography 1 week ago
@LeSuisse removed package python314Packages.django-cryptography 1 week ago
@LeSuisse removed package python312Packages.mypy-boto3-payment-cryptography 1 week ago
@LeSuisse removed package python313Packages.mypy-boto3-payment-cryptography 1 week ago
@LeSuisse removed package python314Packages.mypy-boto3-payment-cryptography 1 week ago
@LeSuisse removed package python312Packages.mypy-boto3-payment-cryptography-data 1 week ago
@LeSuisse removed package python313Packages.mypy-boto3-payment-cryptography-data 1 week ago
@LeSuisse removed package python314Packages.mypy-boto3-payment-cryptography-data 1 week ago
@LeSuisse removed package python312Packages.types-aiobotocore-payment-cryptography 1 week ago
@LeSuisse removed package python313Packages.types-aiobotocore-payment-cryptography 1 week ago
@LeSuisse removed package python312Packages.types-aiobotocore-payment-cryptography-data 1 week ago
@LeSuisse removed package python314Packages.cryptography 1 week ago
@LeSuisse removed package python313Packages.types-aiobotocore-payment-cryptography-data 1 week ago
@LeSuisse added package python314Packages.cryptography 1 week ago
@LeSuisse removed
2 maintainers
- @SuperSandro2000
- @mdaniels5757
1 week ago
@LeSuisse accepted 1 week ago
@LeSuisse published on GitHub 1 week ago

cryptography has incomplete DNS name constraint enforcement on peer names

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.

References

https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43 x_refsource_CONFIRM

Affected products

cryptography

==< 46.0.6

Matching in nixpkgs

pkgs.python312Packages.cryptography

Package which provides cryptographic recipes and primitives

nixos-25.11 46.0.5
- nixos-25.11-small 46.0.5
- nixpkgs-25.11-darwin 46.0.5

pkgs.python313Packages.cryptography

Package which provides cryptographic recipes and primitives

nixos-unstable 46.0.5
- nixpkgs-unstable 46.0.5
- nixos-unstable-small 46.0.5
nixos-25.11 46.0.5
- nixos-25.11-small 46.0.5
- nixpkgs-25.11-darwin 46.0.5

pkgs.python314Packages.cryptography

Package which provides cryptographic recipes and primitives

nixos-unstable 46.0.5
- nixpkgs-unstable 46.0.5
- nixos-unstable-small 46.0.5

Package maintainers

Ignored maintainers (2)

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@mdaniels5757 Michael Daniels <nix@mdaniels.me>

https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0907

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.cryptography

pkgs.python313Packages.cryptography

pkgs.python314Packages.cryptography

Package maintainers