From 367344b1fdbde7a8e27b2bbad348e1ca929b85f2 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 15 Feb 2026 08:19:25 +0000 Subject: [PATCH] Fix CVE-2026-23490: upgrade pyasn1 to 0.6.2 Upgrade pyasn1 from 0.5.1 to 0.6.2 to fix a high severity DoS vulnerability (CVSS 7.5) in the ASN.1 RELATIVE-OID decoder that allows memory exhaustion via malformed continuation octets. Also upgrade pyasn1-modules from 0.3.0 to 0.4.2 for compatibility, and pin pyasn1>=0.6.2 in enforcer/requirements.txt to ensure the krr-enforcer image uses the patched version. https://claude.ai/code/session_01AMHRZh1eLroZdepVJYBDEw --- enforcer/requirements.txt | 1 + poetry.lock | 18 +++++++++--------- requirements.txt | 4 ++-- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/enforcer/requirements.txt b/enforcer/requirements.txt index b6e03edb..c6c5d897 100644 --- a/enforcer/requirements.txt +++ b/enforcer/requirements.txt @@ -6,4 +6,5 @@ PyYAML==6.0.1 cachetools==5.3.3 prometheus-client==0.20.0 kubernetes==26.1.0 +pyasn1>=0.6.2 urllib3==2.6.2 diff --git a/poetry.lock b/poetry.lock index d8151b48..67bd67be 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1189,30 +1189,30 @@ zipp = ">=3.20.1,<4.0.0" [[package]] name = "pyasn1" -version = "0.5.1" +version = "0.6.2" description = "Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)" optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.7" +python-versions = ">=3.8" groups = ["main"] files = [ - {file = "pyasn1-0.5.1-py2.py3-none-any.whl", hash = "sha256:4439847c58d40b1d0a573d07e3856e95333f1976294494c325775aeca506eb58"}, - {file = "pyasn1-0.5.1.tar.gz", hash = "sha256:6d391a96e59b23130a5cfa74d6fd7f388dbbe26cc8f1edf39fdddf08d9d6676c"}, + {file = "pyasn1-0.6.2-py3-none-any.whl", hash = "sha256:1eb26d860996a18e9b6ed05e7aae0e9fc21619fcee6af91cca9bad4fbea224bf"}, + {file = "pyasn1-0.6.2.tar.gz", hash = "sha256:9b59a2b25ba7e4f8197db7686c09fb33e658b98339fadb826e9512629017833b"}, ] [[package]] name = "pyasn1-modules" -version = "0.3.0" +version = "0.4.2" description = "A collection of ASN.1-based protocols modules" optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.7" +python-versions = ">=3.8" groups = ["main"] files = [ - {file = "pyasn1_modules-0.3.0-py2.py3-none-any.whl", hash = "sha256:d3ccd6ed470d9ffbc716be08bd90efbd44d0734bc9303818f7336070984a162d"}, - {file = "pyasn1_modules-0.3.0.tar.gz", hash = "sha256:5bd01446b736eb9d31512a30d46c1ac3395d676c6f3cafa4c03eb54b9925631c"}, + {file = "pyasn1_modules-0.4.2-py3-none-any.whl", hash = "sha256:29253a9207ce32b64c3ac6600edc75368f98473906e8fd1043bd6b5b1de2c14a"}, + {file = "pyasn1_modules-0.4.2.tar.gz", hash = "sha256:677091de870a80aae844b1ca6134f54652fa2c8c5a52aa396440ac3106e941e6"}, ] [package.dependencies] -pyasn1 = ">=0.4.6,<0.6.0" +pyasn1 = ">=0.6.1,<0.7.0" [[package]] name = "pycodestyle" diff --git a/requirements.txt b/requirements.txt index 529b7787..72434733 100644 --- a/requirements.txt +++ b/requirements.txt @@ -27,8 +27,8 @@ pandas==2.2.2 ; python_version >= "3.10" and python_full_version < "3.13" pillow==10.3.0 ; python_version >= "3.10" and python_full_version < "3.13" prometheus-api-client==0.5.3 ; python_version >= "3.10" and python_full_version < "3.13" prometrix==0.2.9 ; python_version >= "3.10" and python_full_version < "3.13" -pyasn1-modules==0.3.0 ; python_version >= "3.10" and python_full_version < "3.13" -pyasn1==0.5.1 ; python_version >= "3.10" and python_full_version < "3.13" +pyasn1-modules==0.4.2 ; python_version >= "3.10" and python_full_version < "3.13" +pyasn1==0.6.2 ; python_version >= "3.10" and python_full_version < "3.13" pydantic==1.10.15 ; python_version >= "3.10" and python_full_version < "3.13" pygments==2.17.2 ; python_version >= "3.10" and python_full_version < "3.13" pyparsing==3.1.2 ; python_version >= "3.10" and python_full_version < "3.13"