Security update for ADC in requirements.txt

[Nathan du Buy]

Hello,

I will roll out a simple security update for ADC in the form of a change in requirements.txt, this is due to a vulnerability in the Cryptography library for Python.

Full summary of vulnerability:

-------------------------------------------------------------

Summary

In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.

This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.

See CVE-2025-61727 for a similar bypass in Go's crypto/x509.

Remediation

Users should upgrade to 46.0.6 or newer.

Attribution

Reporter: @1seal

-------------------------------------------------------------

Source code archives will be updated in a few weeks, until then you need to manually install a version above v46.0.5 if you plan to build ADC.

--
Nathan du Buy
Open Source Developer

OpenPGP fingerprint
02D7 2154 D625 B937 CCA7 4FD2 3133 1ED9 0BDC 8954

Web
mealman1551.github.io
nathandubuy.pages.dev

---

OpenPGP Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEaaGdEhYJKwYBBAHaRw8BAQdA+uJKmZ/A1I5B8AhhSrDu2Mi6z7KnePI7zCfP
sH4vz9S0Jk5hdGhhbiBkdSBCdXkgPG5hdGhhbmR1YnV5NEBnbWFpbC5jb20+iJAE
ExYKADgWIQQC1yFU1iW5N8ynT9IxMx7ZC9yJVAUCaaGdEgIbAwULCQgHAgYVCgkI
CwIEFgIDAQIeAQIXgAAKCRAxMx7ZC9yJVDNwAP46xA34c7YVSNQNP3SydvGjXVhq
qbc56jGGYyxQtlN0FgEA3IBIEzm7afEQ7r7OTpV0o6C3DQoQ7FK7T4T4q9yogwi4
OARpoZ0SEgorBgEEAZdVAQUBAQdAauG2VGsKhSiJP+cUZeesIInvWa7tH1YYy7ni
YKjLQzUDAQgHiHgEGBYKACAWIQQC1yFU1iW5N8ynT9IxMx7ZC9yJVAUCaaGdEgIb
DAAKCRAxMx7ZC9yJVGQLAQCrfxz8TplTNnhptGRj5kYZ9+aB7lq4KRT9rKbn0ImG
cAEAqx76sL3vI7rz24LzFhxms949C53GB4TbpBgXNaMafgU=
=0/wj
-----END PGP PUBLIC KEY BLOCK-----

[Nathan du Buy]

Currently working on new update (ADC 1.4.5) that uses the new cryptography.

Updating takes long due to some problems.

I will keep updating on this thread!

Op 3-4-2026 om 16:01 schreef Nathan du Buy:

[Nathan du Buy]

Security update fully rolled out!:

https://mealman1551.github.io/adc.html#downloads

~Mealman1551

Op 3-4-2026 om 19:49 schreef Nathan du Buy: