Security Patch Release
This release addresses 38 open Dependabot security alerts by upgrading 15 Python packages to their patched versions.
What's Changed
Security Fixes
| Package | Old Version | New Version | Severity |
|---|---|---|---|
| h11 | 0.14.0 | 0.16.0 | CRITICAL |
| pillow | 11.0.0 | 12.1.1 | HIGH |
| cryptography | 46.0.1 | 46.0.5 | HIGH |
| protobuf | 5.29.2 | 6.33.5 | HIGH |
| python-multipart | 0.0.20 | 0.0.22 | HIGH |
| pyasn1 | 0.6.1 | 0.6.2 | HIGH |
| urllib3 | 2.3.0 | 2.6.3 | HIGH |
| aiohttp | 3.12.14 | 3.13.3 | HIGH/LOW |
| starlette | 0.41.3 | 0.52.1 | HIGH |
| fastapi | 0.115.6 | 0.129.2 | upgraded to resolve starlette constraint |
| authlib | 1.6.4 | 1.6.8 | HIGH/MEDIUM |
| setuptools | 75.6.0 | 82.0.0 | HIGH |
| filelock | 3.16.1 | 3.24.3 | MEDIUM |
| requests | 2.32.3 | 2.32.5 | MEDIUM |
| jinja2 | 3.1.5 | 3.1.6 | MEDIUM |
Vulnerability Details
- h11 >= 0.16.0: Malformed chunked-encoding bypass (CRITICAL)
- aiohttp >= 3.13.3: CRLF injection, path traversal, multiple CVEs
- urllib3 >= 2.6.3: Decompression bomb DoS
- starlette >= 0.49.1: DoS via Range header
- authlib >= 1.6.5: DoS + account takeover via JWT
- cryptography >= 46.0.5: Subgroup attack on DSA/DH
- pillow >= 12.1.1: OOB write in image processing
- protobuf >= 5.29.6: JSON recursion DoS
- python-multipart >= 0.0.22: Arbitrary file write
- pyasn1 >= 0.6.2: DoS in DER/BER decoder
- setuptools >= 78.1.1: Path traversal via crafted wheel
- filelock >= 3.20.3: TOCTOU symlink attack
- requests >= 2.32.4: .netrc credential leak
- Jinja2 >= 3.1.6: Sandbox breakout
Notes
- ecdsa and PyPDF2 have no fix available and were skipped
- No npm packages found in the repository
Full Changelog: v10.17.4...v10.17.5