Skip to content

fix(security): update OSS dependencies to remediate 3 high-severity CVEs#737

Merged
johntmyers merged 1 commit intomainfrom
fix/oss-vuln-remediation/jm
Apr 2, 2026
Merged

fix(security): update OSS dependencies to remediate 3 high-severity CVEs#737
johntmyers merged 1 commit intomainfrom
fix/oss-vuln-remediation/jm

Conversation

@johntmyers
Copy link
Copy Markdown
Collaborator

@johntmyers johntmyers commented Apr 2, 2026

Summary

Update three OSS dependencies flagged in the April 1, 2026 Security Tracker to their patched versions. All three are lockfile-only changes with no source code modifications.

Changes

tar 0.4.44 -> 0.4.45 (Rust)

  • CVE-2026-33055 (High): tar-rs versions <= 0.4.44 have conditional logic that skips the PAX size header when the base header size is nonzero, enabling potential archive manipulation.
  • Dep chain: openshell-bootstrap, openshell-cli -> tar

aws-lc-rs 1.16.1 -> 1.16.2 / aws-lc-sys 0.38.0 -> 0.39.1 (Rust)

  • BDSA-2026-5232 (High): AWS-LC name constraints bypass due to improper certificate validation, allowing wildcard or raw UTF-8 Unicode certificates to bypass constraints.
  • Dep chain: openshell-sandbox, openshell-server -> russh -> aws-lc-rs -> aws-lc-sys

Pygments 2.19.2 -> 2.20.0 (Python)

  • BDSA-2026-5113 / CVE-2026-4539 (High): Catastrophic regex backtracking in AdlLexer (lexers/archetype.py), enabling remote DoS via crafted input.
  • Dep chain: transitive dev dependency via sphinx / accessible-pygments

Testing

  • mise run pre-commit passes
  • mise run test passes
  • cargo build succeeds (verifies Rust lockfile is valid)
  • uv sync succeeds (verifies Python lockfile is valid)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@johntmyers
fix(security): update OSS dependencies to remediate 3 high-severity CVEs
57b15b8 
- tar 0.4.44 -> 0.4.45 (CVE-2026-33055: PAX size header skip)
- aws-lc-rs 1.16.1 -> 1.16.2 / aws-lc-sys 0.38.0 -> 0.39.1
  (BDSA-2026-5232: name constraints bypass in certificate validation)
- Pygments 2.19.2 -> 2.20.0
  (BDSA-2026-5113 / CVE-2026-4539: catastrophic regex backtracking)
@johntmyers johntmyers requested a review from a team as a code owner April 2, 2026 16:57
@johntmyers johntmyers added the topic:security Security issues label Apr 2, 2026
@johntmyers johntmyers self-assigned this Apr 2, 2026
@johntmyers johntmyers added the test:e2e Requires end-to-end coverage label Apr 2, 2026
@johntmyers johntmyers merged commit b56f830 into main Apr 2, 2026
17 of 18 checks passed
@johntmyers johntmyers deleted the fix/oss-vuln-remediation/jm branch April 2, 2026 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drew drew drew approved these changes

Assignees

@johntmyers johntmyers

Labels

test:e2e Requires end-to-end coverage topic:security Security issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johntmyers @drew