Skip to content

bump pyOpenSSL and snowflake-connector-python versions#7783

Merged
eastandwestwind merged 3 commits intomainfrom
ENG-3020
Mar 30, 2026
Merged

bump pyOpenSSL and snowflake-connector-python versions#7783
eastandwestwind merged 3 commits intomainfrom
ENG-3020

Conversation

@eastandwestwind
Copy link
Copy Markdown
Contributor

@eastandwestwind eastandwestwind commented Mar 30, 2026
edited
Loading

Ticket https://ethyca.atlassian.net/browse/ENG-3020

Description Of Changes

Bumps pyOpenSSL to 26.0.0 to fix CVE-2026-27459 (High) and CVE-2026-27448 (Low). Bumps snowflake-connector-python to 4.4.0 for compatibility, since 4.3.x capped pyOpenSSL below 26. Neither vulnerable callback API is used in fides or fidesplus, so practical risk is very low.

CVEs:

GHSA-5pwr-322w-8jr4 (High) — DTLS cookie callback buffer overflow
GHSA-vp96-hxj8-p424 (Low) — TLS connection bypass via unhandled callback exception

Code Changes

  • Bumped pyOpenSSL~=25.3.0 → pyOpenSSL~=26.0.0 in pyproject.toml
  • Bumped snowflake-connector-python~=4.3.0 → snowflake-connector-python~=4.4.0 in pyproject.toml for compatibility with pyOpenSSL 26.x

Steps to Confirm

  1. Verify CI passes
  2. Confirm fides server start-up is successful

Pre-Merge Checklist

  • Issue requirements met
  • All CI pipelines succeeded
  • CHANGELOG.md updated
    • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
    • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
    • Updates unreleased work already in Changelog, no new entry necessary
  • UX feedback:
    • All UX related changes have been reviewed by a designer
    • No UX review needed
  • Followup issues:
    • Followup issues created
    • No followup issues
  • Database migrations:
    • Ensure that your downrev is up to date with the latest revision on main
    • Ensure that your downgrade() migration is correct and works
      • If a downgrade migration is not possible for this change, please call this out in the PR description!
    • No migrations
  • Documentation:
    • Documentation complete, PR opened in fidesdocs
    • Documentation issue created in fidesdocs
    • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
    • No documentation updates required

@vercel
Copy link
Copy Markdown
Contributor

vercel bot commented Mar 30, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Actions Updated (UTC)
fides-plus-nightly Ignored Ignored Preview Mar 30, 2026 1:52pm
fides-privacy-center Ignored Ignored Mar 30, 2026 1:52pm

Request Review

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 30, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 2e27e8c.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

  • uv.lock

claude[bot]
claude bot reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This is a minimal, well-scoped security patch. No critical issues found.

Summary

The two-line change in pyproject.toml correctly addresses two pyOpenSSL CVEs (one High, one Low) by bumping to pyOpenSSL~=26.0.0 and pulling snowflake-connector-python up to ~=4.4.0 to unblock the pyOpenSSL upper-bound that 4.3.x enforced.

Compatibility check passes:

  • pyOpenSSL 26.x requires cryptography>=44.0.0; the existing cryptography~=46.0.5 pin satisfies that with room to spare.
  • No direct import OpenSSL usage exists anywhere in the fides Python source — pyOpenSSL is consumed only transitively, so no API-level breakage is possible from this side of the code.
  • The ~=26.0.0 compatible-release specifier (>=26.0.0, <26.1) follows the same pinning pattern already used throughout pyproject.toml, which is appropriate for security patches.

Suggestions

  • The PR description mentions "Neither vulnerable callback API is used in fides or fidesplus" — it would be worth a brief note confirming the same for the Snowflake connector, since that connector does do more complex SSL/TLS negotiation. A quick grep of src/fides/api/service/connectors/snowflake_connector.py for any custom SSL callback usage before merge would close that loop. (Low priority — the snowflake-connector-python library encapsulates this internally, so fides code is very unlikely to be affected.)

Nice to Have

  • The CHANGELOG.md checklist item is unchecked. If the team convention requires an entry for security dependency bumps, it's worth adding one before merge to maintain release note completeness.

Overall this is a clean, low-risk security fix. ✓

@eastandwestwind eastandwestwind added this pull request to the merge queue Mar 30, 2026
Merged via the queue into main with commit bd72eba Mar 30, 2026
59 checks passed
@eastandwestwind eastandwestwind deleted the ENG-3020 branch March 30, 2026 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@erosselli erosselli erosselli approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eastandwestwind @erosselli